RE: ClearPass and IPv6
We were seeing the issue especially with Cisco switches with DHCP Snooping & Dynamic ARP Inspection. When the client first authenticates, the switch sends an Accounting start, but it does not yet have the Framed-IP Address. The switch later sends an Interim Update that includes the Framed-IP-Address. Our testing found ClearPass many times not handling the Interim Update correctly. Sometimes the accounting Start was not handled correctly either. When Aruba found the issue, they said it was not a trivial fix. They are working to correct the issue, though. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Friday, July 22, 2016 9:36 AM Subject: Re: ClearPass and IPv6 Thank you Bruce! That’s very disappointing to hear. Jerry did show me records that show the IPv6 address, and I’ve been able to find some (very few) that contain the IPv6 address, but it is very inconsistent. For IPv4, I have not seen any issues. All of my records correctly map a user to a v4 address. -H From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Friday, July 22, 2016 6:40 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] ClearPass and IPv6 I do not know about IPv6, but IPv4 accounting has apparently been broken since ClearPass 6.0. It is scheduled to be fixed in ClearPass 6.7. Although ClearPass responds to all IPv4 accounting requests, the information does not always get entered in the accounting database and is therefore lost. Since we use accounting records to map usernames to ip addresses for bandwidth management, that means our management system was very inaccurate. If you want your Aruba account team to investigate further, have them look at Issue # 33707 that has been committed to ClearPass 6.7 and support case 1812165. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Thursday, July 21, 2016 3:36 PM Subject: ClearPass and IPv6 Since we are on the topic of ClearPass, I have a comment/question. We recently deployed ClearPass on our wireless. We are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our hosts get IPv4/IPv6 addresses. We noticed that in the RADIUS accounting log, the IPv6 addresses do not show up. This came to use as a surprise because with our previous RADIUS server (radiator) we did not have this limitation. The latest 6.6.1 patch just came out and in the release notes they mention that they now have support for the Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we are still not seeing IPv6 addresses. Anyone out there running ClearPass and IPv6 experiencing a similar issue? Regards, Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: ClearPass and IPv6
Thank you Bruce! That’s very disappointing to hear. Jerry did show me records that show the IPv6 address, and I’ve been able to find some (very few) that contain the IPv6 address, but it is very inconsistent. For IPv4, I have not seen any issues. All of my records correctly map a user to a v4 address. -H From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W (Network Services) Sent: Friday, July 22, 2016 6:40 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ClearPass and IPv6 I do not know about IPv6, but IPv4 accounting has apparently been broken since ClearPass 6.0. It is scheduled to be fixed in ClearPass 6.7. Although ClearPass responds to all IPv4 accounting requests, the information does not always get entered in the accounting database and is therefore lost. Since we use accounting records to map usernames to ip addresses for bandwidth management, that means our management system was very inaccurate. If you want your Aruba account team to investigate further, have them look at Issue # 33707 that has been committed to ClearPass 6.7 and support case 1812165. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Thursday, July 21, 2016 3:36 PM Subject: ClearPass and IPv6 Since we are on the topic of ClearPass, I have a comment/question. We recently deployed ClearPass on our wireless. We are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our hosts get IPv4/IPv6 addresses. We noticed that in the RADIUS accounting log, the IPv6 addresses do not show up. This came to use as a surprise because with our previous RADIUS server (radiator) we did not have this limitation. The latest 6.6.1 patch just came out and in the release notes they mention that they now have support for the Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we are still not seeing IPv6 addresses. Anyone out there running ClearPass and IPv6 experiencing a similar issue? Regards, Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: ClearPass and IPv6
I do not know about IPv6, but IPv4 accounting has apparently been broken since ClearPass 6.0. It is scheduled to be fixed in ClearPass 6.7. Although ClearPass responds to all IPv4 accounting requests, the information does not always get entered in the accounting database and is therefore lost. Since we use accounting records to map usernames to ip addresses for bandwidth management, that means our management system was very inaccurate. If you want your Aruba account team to investigate further, have them look at Issue # 33707 that has been committed to ClearPass 6.7 and support case 1812165. Bruce Osborne Wireless Engineer IT Network Services - Wireless (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Hector J Rios [mailto:hr...@lsu.edu] Sent: Thursday, July 21, 2016 3:36 PM Subject: ClearPass and IPv6 Since we are on the topic of ClearPass, I have a comment/question. We recently deployed ClearPass on our wireless. We are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our hosts get IPv4/IPv6 addresses. We noticed that in the RADIUS accounting log, the IPv6 addresses do not show up. This came to use as a surprise because with our previous RADIUS server (radiator) we did not have this limitation. The latest 6.6.1 patch just came out and in the release notes they mention that they now have support for the Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we are still not seeing IPv6 addresses. Anyone out there running ClearPass and IPv6 experiencing a similar issue? Regards, Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ClearPass and IPv6
Sorry about the email. It was a pocket email. Sent from my BlackBerry 10 smartphone on the Bell network. Original Message From: Coughlan, Jamie (NBCC Moncton) Sent: Thursday, July 21, 2016 6:41 PM To: Bucklaew, Jerry Cc: Brad Donovan; McCarthy, Brent (NBCC Miramichi) Subject: Re: [WIRELESS-LAN] ClearPass and IPv6 Oy Sent from my BlackBerry 10 smartphone on the Bell network. Original Message From: Bucklaew, Jerry Sent: Thursday, July 21, 2016 5:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Reply To: The EDUCAUSE Wireless Issues Constituent Group emo Subject: Re: [WIRELESS-LAN] ClearPass and IPv6 On 07/21/2016 04:00 PM, Hector J Rios wrote: > Jerry, > > We actually performed a packet capture to confirm that the accounting record > was making it to ClearPass and it is. It's disappointing to hear that it has > taken them this long to fix it. > > Ok, I have learned the hard way, that it all depends on where you look for it. Just because it is (maybe) being recorded in the internal DB does not mean it will show up on any report yet. Those might be future enhancements. Let me upgrade to 6.1 and I will see if I have the same issues. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ClearPass and IPv6
Oy Sent from my BlackBerry 10 smartphone on the Bell network. Original Message From: Bucklaew, Jerry Sent: Thursday, July 21, 2016 5:07 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Reply To: The EDUCAUSE Wireless Issues Constituent Group emo Subject: Re: [WIRELESS-LAN] ClearPass and IPv6 On 07/21/2016 04:00 PM, Hector J Rios wrote: > Jerry, > > We actually performed a packet capture to confirm that the accounting record > was making it to ClearPass and it is. It's disappointing to hear that it has > taken them this long to fix it. > > Ok, I have learned the hard way, that it all depends on where you look for it. Just because it is (maybe) being recorded in the internal DB does not mean it will show up on any report yet. Those might be future enhancements. Let me upgrade to 6.1 and I will see if I have the same issues. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ClearPass and IPv6
On 07/21/2016 04:00 PM, Hector J Rios wrote: > Jerry, > > We actually performed a packet capture to confirm that the accounting record > was making it to ClearPass and it is. It's disappointing to hear that it has > taken them this long to fix it. > > Ok, I have learned the hard way, that it all depends on where you look for it. Just because it is (maybe) being recorded in the internal DB does not mean it will show up on any report yet. Those might be future enhancements. Let me upgrade to 6.1 and I will see if I have the same issues. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] ClearPass and IPv6
Jerry, We actually performed a packet capture to confirm that the accounting record was making it to ClearPass and it is. It's disappointing to hear that it has taken them this long to fix it. Thank you for your response. -H -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bucklaew, Jerry Sent: Thursday, July 21, 2016 2:48 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] ClearPass and IPv6 Yeah, We have been pushing them to get it straightened out for almost a year now. Last I left it there were two pieces. clearpass needs to support ipv6 accounting records, due out in 6.1 The aruba controllers need to send ipv6 accounting records, due out in 6.5 I think Where are you looking for the accounting records in clearpass, monitoring --> accounting Are you sure your cisco's are sending it, you have to configure it via cli last I remember. My cisco was on Steelbelted radius and was definetly sending the records so I can upgrade my clearpass to 6.1 and see what I see if you want? On 07/21/2016 03:36 PM, Hector J Rios wrote: > Since we are on the topic of ClearPass, I have a comment/question. We > recently deployed ClearPass on our wireless. We > are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our > hosts get IPv4/IPv6 addresses. We noticed > that in the RADIUS accounting log, the IPv6 addresses do not show up. This > came to use as a surprise because with our > previous RADIUS server (radiator) we did not have this limitation. > > The latest 6.6.1 patch just came out and in the release notes they mention > that they now have support for the > Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we > are still not seeing IPv6 addresses. > > Anyone out there running ClearPass and IPv6 experiencing a similar issue? > > Regards, > > Hector Rios > > Louisiana State University > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] ClearPass and IPv6
Yeah, We have been pushing them to get it straightened out for almost a year now. Last I left it there were two pieces. clearpass needs to support ipv6 accounting records, due out in 6.1 The aruba controllers need to send ipv6 accounting records, due out in 6.5 I think Where are you looking for the accounting records in clearpass, monitoring --> accounting Are you sure your cisco's are sending it, you have to configure it via cli last I remember. My cisco was on Steelbelted radius and was definetly sending the records so I can upgrade my clearpass to 6.1 and see what I see if you want? On 07/21/2016 03:36 PM, Hector J Rios wrote: > Since we are on the topic of ClearPass, I have a comment/question. We > recently deployed ClearPass on our wireless. We > are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our > hosts get IPv4/IPv6 addresses. We noticed > that in the RADIUS accounting log, the IPv6 addresses do not show up. This > came to use as a surprise because with our > previous RADIUS server (radiator) we did not have this limitation. > > The latest 6.6.1 patch just came out and in the release notes they mention > that they now have support for the > Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we > are still not seeing IPv6 addresses. > > Anyone out there running ClearPass and IPv6 experiencing a similar issue? > > Regards, > > Hector Rios > > Louisiana State University > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found > at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
ClearPass and IPv6
Since we are on the topic of ClearPass, I have a comment/question. We recently deployed ClearPass on our wireless. We are a Cisco shop; 802.1X/PEAP/MSCHAPv2. We are also dual stack, so all of our hosts get IPv4/IPv6 addresses. We noticed that in the RADIUS accounting log, the IPv6 addresses do not show up. This came to use as a surprise because with our previous RADIUS server (radiator) we did not have this limitation. The latest 6.6.1 patch just came out and in the release notes they mention that they now have support for the Framed-IPv6-Address RADIUS attribute (IETF 168). However, after upgrading, we are still not seeing IPv6 addresses. Anyone out there running ClearPass and IPv6 experiencing a similar issue? Regards, Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.