sending Radius accounting data to Checkpoint Identity Awareness

  • 1
  • Question
  • Updated 1 year ago
Hi,

we are using Checkpoint's Identity Awareness feature to keep track of users to allow internet access. This basically maps IP addresses to AD accounts. One way to update this system is using Radius accounting which is ideal for WiFi. 

We have our Zonedirector set up to send accounting packets to Checkpoint and this works well giving the user access to the internet seamlessly. 

However ....  when a user roams to another AP the Indentity Awareness looses the association between IP and username. As neither has changed this can only be because Zonedirector has sent a packet to Checkpoint to say that the user has left that AP and not sent another to tell the user it has reassociated to the new AP. 

Is there anything I can do to fix this behaviour ?

Thanks for reading

Bruce
Photo of Bruce Richardson

Bruce Richardson

  • 5 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Bruce Richardson

Bruce Richardson

  • 5 Posts
  • 0 Reply Likes
Update: packet captures show that the accounting packets are going out in this order

User Connects to AP1: Start Packet 
User roams to AP2: Start Packet, Stop Packet. 

If you look at the Session IDs for the packets then you can see that the Stop relates to AP1, but Checkpoint is ignoring Session ID and breaking the connection on Stop. 
Photo of Michael Brado

Michael Brado, Official Rep

  • 1932 Posts
  • 271 Reply Likes
This might take some help from CheckPoint Bruce...
Photo of Bruce Richardson

Bruce Richardson

  • 5 Posts
  • 0 Reply Likes
Agreed, I'm asking the same questions of both parties and getting similar responses. I think that Ruckus are on higher ground as Checkpoint are ignoring the Session IDs but introducing a fraction of a second delay on the Start packets does fix the issue. 

At the moment I'm working round the issue by using FreeRADIUS to introduce a 0.5 sec delay on the start packets.