We were seeing the issue especially with Cisco switches with DHCP Snooping &
Dynamic ARP Inspection.
When the client first authenticates, the switch sends an Accounting start, but
it does not yet have the Framed-IP Address. The switch later sends an Interim
Update that includes the Framed-IP-Address.
Our testing found ClearPass many times not handling the Interim Update
correctly. Sometimes the accounting Start was not handled correctly either.
When Aruba found the issue, they said it was not a trivial fix. They are
working to correct the issue, though.
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hector J Rios [mailto:hr...@lsu.edu]
Sent: Friday, July 22, 2016 9:36 AM
Subject: Re: ClearPass and IPv6
Thank you Bruce! That’s very disappointing to hear. Jerry did show me records
that show the IPv6 address, and I’ve been able to find some (very few) that
contain the IPv6 address, but it is very inconsistent. For IPv4, I have not
seen any issues. All of my records correctly map a user to a v4 address.
-H
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W
(Network Services)
Sent: Friday, July 22, 2016 6:40 AM
To:
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: Re: [WIRELESS-LAN] ClearPass and IPv6
I do not know about IPv6, but IPv4 accounting has apparently been broken since
ClearPass 6.0. It is scheduled to be fixed in ClearPass 6.7.
Although ClearPass responds to all IPv4 accounting requests, the information
does not always get entered in the accounting database and is therefore lost.
Since we use accounting records to map usernames to ip addresses for bandwidth
management, that means our management system was very inaccurate.
If you want your Aruba account team to investigate further, have them look at
Issue # 33707 that has been committed to ClearPass 6.7 and support case 1812165.
Bruce Osborne
Wireless Engineer
IT Network Services - Wireless
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
From: Hector J Rios [mailto:hr...@lsu.edu]
Sent: Thursday, July 21, 2016 3:36 PM
Subject: ClearPass and IPv6
Since we are on the topic of ClearPass, I have a comment/question. We recently
deployed ClearPass on our wireless. We are a Cisco shop; 802.1X/PEAP/MSCHAPv2.
We are also dual stack, so all of our hosts get IPv4/IPv6 addresses. We noticed
that in the RADIUS accounting log, the IPv6 addresses do not show up. This came
to use as a surprise because with our previous RADIUS server (radiator) we did
not have this limitation.
The latest 6.6.1 patch just came out and in the release notes they mention that
they now have support for the Framed-IPv6-Address RADIUS attribute (IETF 168).
However, after upgrading, we are still not seeing IPv6 addresses.
Anyone out there running ClearPass and IPv6 experiencing a similar issue?
Regards,
Hector Rios
Louisiana State University
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
**
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.