Greetings, I work a lot with FreeRADIUS. We have it connected to OpenLDAP instead of AD, but the work is the same.
Instead of hard-coding the Filter-IDs into the configuration for FreeRADIUS, we simply put them in LDAP. AD should have a field for you to define the Filter-ID. We try to store as much as possible in LDAP. This way, we don't have to modify the configuration on all of the FreeRADIUS boxes if we want to add a new Filter-ID. This is more of a suggestion and not meant to be a fix for your problem. On to the problem. You mentioned that you can put a bogus Filter-ID in the FreeRADIUS configuration and it does not impact how users are allowed onto the network. So if RADIUS has a Filter-ID of "IlovePoodles" and the HiPath controller only has "TechAuthPolicy" defined and the user always ends up in "TechAuthPolicy" one can deduce that the HiPath is ignoring what ever RADIUS is sending to it. I'd start looking at debug output from the HiPath and work my way back to the FreeRADIUS box and AD as far as troubleshooting goes. Thanks, Lou Goddard Network Engineer 302-552-8053 [email protected] ----- Original Message ----- From: Stephen Loeckle <[email protected]> Sent: Wed, 5/11/2011 12:23pm To: Enterasys Customer Mailing List <[email protected]> Subject: [enterasys] HiPath, FreeRADIUS + Filter-ID & Policy Issue Hi Everyone, I thought I'd run this by the group before I opened a support ticket. I am migrating from M$ NPS to Linux/FreeRADIUS integrated with AD. I have it all working and can authenticate just fine except I can't seem to limit users to a VNS by using Filter-ID. So, I'm authenticating with winbind and authorizing with ldap. I even have the LDAP group lookup working great and having FreeRADIUS return a Filter-ID based on the group membership but the HiPath doesn't seem to be reading this. It works with NPS but not FR. Excerpt from users: DEFAULT Ldap-Group == "DEPT_IS" Filter-Id = "TechAuthPolicy", Fall-Through = 0 Excerpt from freeradius -X: Sending Access-Accept of id 89 to 10.0.0.1 port 33716 Filter-Id = "TechAuthPolicy" TechAuthPolicy is the name of the policy in the HiPath controller. I can change the configuration line in the users file for the policy name to something complete invalid and it still let's me connect to this VNS. Again, this works fine with NPS but not with FR. Has anyone seen this? What other information can I provide? Thank you! Stephen P.S. The reason we're moving to FR is so we can use public, not self-signed, keys for easier wireless configuration for 3000 students --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] ------------------ CONFIDENTIALITY NOTICE --------------- This message, including any attachments, is for the sole use of the intended recipient(s) and may contain privileged confidential information protected by law. Any unauthorized review, use, disclosure or distribution of this message is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message. ------------------ CONFIDENTIALITY NOTICE --------------- --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
