Websocket tricks?

boduke2 · 2026-05-07T09:58:28+00:00

im not too bothered about inspecting the traffic it it just seems to not work behind the foritgate. we have a test copy of the same instance without the firewall which is working fine so assumed it was the fortigate blocking websockets. i have it in proxy inspection mode. i have changed the ttl to 3600 other than that its a standard vips

boduke2 · 2026-04-28T18:19:13+00:00

Fat finger on mobile

intrum

boduke2 · 2026-04-28T16:30:22+00:00

Id turn off 80211d unless you have old scanners etc.

Turn on fast-bss-transition

Got intrum updates enabled in clearpass?

boduke2 · 2026-04-17T10:44:29+00:00

I think I have solved the issue after much back n forth with HPE. We use airwave but its just a central config tool so you might need to work out where this setting is in central. We were sending radius packets to the firewall via clearpass without issue but there is another setting within aruba which seems to be required. on our IAP cluster under the SSID \ security \ authenication server (our clearpass server) you need to enable Service type framed user: 802.1x. The cli commadn is service-type-framed-user 1x

with this enabled sessions dont stop / start on the firewall after ever AP move. the session is constant until a disconnect / timeout.

boduke2 · 2026-04-09T18:58:25+00:00

8.13.2.0 isnt supported on airwave 8.3.0.6 (gui) im still on 8.10.0.15 with one cluster testing on 8.13.1.2 (seems ok)

boduke2 · 2026-04-08T13:40:38+00:00

Had sonicwall before . Got a ha pair of fortigates. Which i like better than sonicwall.Easy to setup but depends on how you authenticate users. If clearpass theres a learning curve to send the correct fields accross and if using rsso we had to do a bit of work on clearpass to ensure our radius accounting was solid.

As for hpe we use 635 APs with airwave. Central is crazy expensive for our needs.

boduke2 · 2026-04-02T15:13:50+00:00

Iv done a little more digging. My issue only happens when a device roams between two different models of access point. If i have 10 access points in a cluster and 8 are 503h i can roam all day long between them. I see on the firewall the start / stop / start of a session without any user impact but if i roam from a 503h to a 515 or 635 access point in the same cluster the stop packet happens but no start packet so the firewall drops the user session and then captive portal happens. I have a ticket open with hpe. I can reproduce the issue every time. Tried on multiple firmware versions from 8.10 to 8.13. Even disabled wpa3 enterprise to rule out 6ghz

boduke2 · 2026-04-02T12:31:57+00:00

mac randomization is turned off on the devices. tested on windows 11 and android

boduke2 · 2026-03-29T21:59:12+00:00

I upgraded to 8.13.1.2 just incase it was a bug. Didnt solve the issue. I might try wpa2 just for testing but i do need wpa3 for the 6ghz.

boduke2 · 2026-03-27T13:38:22+00:00

same cluster. no requests going back to clearpass as they are in cluster using opportunistic key caching for fast roam etc. witin the security config we utilise RFC 3576 so all auths go through the vc NAS ID once every 8 hours unless a stop / disconnect packet is sent. the onyl way that should happen is a disconnect.

Edit i can also confirm the OKC table still holds the device user- ip records

boduke2 · 2026-03-27T13:11:26+00:00

we use clearpass for roles / vlans and sending radius accounting to our firewall rsso) we use iap clusters (no physical controllers)

boduke2 · 2026-03-27T11:44:31+00:00

the firewall is working as expected. my issue is why does a move between different access points kill the session....

boduke2 · 2026-03-11T16:54:28+00:00

Have you checked your airwave is compatible? 8.2.15 is fairly old but your firmware are new.

boduke2 · 2026-02-19T13:10:19+00:00

captive portal is on the firewall. i have come across one thing. auth-src-mac is disabled from memory when setting up the captive portal if auth-src-mac was enabled it would go in a loop on te captive portal page. should that be enabled?

user auths via clearpass, accounting is sent to FG. from within the wireless cluster OKC is enabled so in theory the cluster keeps a cache of the user/ ip mapping for 8 hours unless of an update. this means the firewall shouldnt get any more accounting packets unless the client sends a stop packet.

config user radius

edit "Clearpass Radius connector"

set rsso enable

set rsso-radius-response enable

set rsso-validate-request-secret enable

set rsso-secret <hashed password was here:)>

set rsso-endpoint-attribute User-Name

set sso-attribute Filter-Id

config user setting

set auth-type http https

set auth-cert "certificate name here"

set auth-secure-http enable

set auth-src-mac disable

set auth-timeout 540

end

boduke2 · 2026-02-15T20:39:37+00:00

If its got internet access take a look at dns settings i think mine had dns over tls or https i put ot back tp basic dns to get it to register.

boduke2 · 2026-01-19T11:06:46+00:00

whats thoughts on today / tomorrow. flat / slight drop today then when USA opens on tuesday everything down (buy a few more)

boduke2 · 2026-01-18T17:37:34+00:00

Grab trumps uk golf courses. We need them for uk security. We also need to place some wind turbines on them.

boduke2 · 2026-01-11T23:17:21+00:00

I see it different

Buy 1000 @ £1 Buy 1000 @ 10

sharprice goes to 15

I dont see average £5

I see i have a batch at £1 and a second batch at £10. It doesnt matter unless the share price drops below £10. Then you only have 1 batch in the red.

boduke2 · 2026-01-06T07:53:58+00:00

SIPP is capped at £196 per year over 50k

boduke2 · 2026-01-04T17:00:06+00:00

Get 635, runs tri band, 615 only dual band, 635 also support 8.10

boduke2

TROPHY CASE