CommScope RUCKUS Community Forums

bruce_richards1 · ‎06-15-2016

Hi,

we are using Checkpoint's Identity Awareness feature to keep track of users to allow internet access. This basically maps IP addresses to AD accounts. One way to update this system is using Radius accounting which is ideal for WiFi.

We have our Zonedirector set up to send accounting packets to Checkpoint and this works well giving the user access to the internet seamlessly.

However .... when a user roams to another AP the Indentity Awareness looses the association between IP and username. As neither has changed this can only be because Zonedirector has sent a packet to Checkpoint to say that the user has left that AP and not sent another to tell the user it has reassociated to the new AP.

Is there anything I can do to fix this behaviour ?

Thanks for reading

Bruce

bruce_richards1 · ‎06-20-2016

Update: packet captures show that the accounting packets are going out in this order

User Connects to AP1: Start Packet
User roams to AP2: Start Packet, Stop Packet.

If you look at the Session IDs for the packets then you can see that the Stop relates to AP1, but Checkpoint is ignoring Session ID and breaking the connection on Stop.

michael_brado · ‎06-21-2016

This might take some help from CheckPoint Bruce...

bruce_richards1 · ‎06-22-2016

Agreed, I'm asking the same questions of both parties and getting similar responses. I think that Ruckus are on higher ground as Checkpoint are ignoring the Session IDs but introducing a fraction of a second delay on the Start packets does fix the issue.

At the moment I'm working round the issue by using FreeRADIUS to introduce a 0.5 sec delay on the start packets.

CommScope RUCKUS Community Forums

sending Radius accounting data to Checkpoint Identity Awareness

Photos