It's been a crazy couple weeks. I was finally able to look at this some more.
Thanks for the suggestion. I checked that and it didn't make any difference.
According to their documentation:
Attribute = Value
Not allowed as a check item for RADIUS protocol attributes. It is allowed
for server configuration attributes (Auth-Type, etc), and sets the value of on
attribute, only if there is no other item of the same attribute.
As a reply item, it means "add the item to the reply list, but only if
there is no other item of the same attribute."
Attribute == Value
As a check item, it matches if the named attribute is present in the
request, AND has the given value.
Not allowed as a reply item.
I've done some sniffing from the controller itself and it appears to be
receiving the Filter-Id information:
AVP: l=16 t=Filter-Id(11): TechAuthPolicy
or
AVP: l=18 t=Filter-Id(11): TechAuthPooolicy
Still, regardless of the Filter-Id matching the policy or not, it still allows
me access. Any ideas for other stuff I should be looking for?
Thanks so much!
Stephen
----- Original Message -----
From: "Lou H. Goddard" <[email protected]>
To: "Enterasys Customer Mailing List" <[email protected]>
Sent: Wednesday, May 11, 2011 11:44:09 AM
Subject: RE: [enterasys] HiPath, FreeRADIUS + Filter-ID & Policy Issue
DEFAULT Ldap-Group == "DEPT_IS"
Filter-Id = "TechAuthPolicy",
Fall-Through = 0
Maybe you need a double equals on the Filter-ID line above? I just checked my
configuration. It is using double-equals.
My example:
DEFAULT NAS-Port-Type == "Wireless-802.11", Group != "wireless",NAS-Identifier
=~ "^HLA"
Tunnel-Medium-Type == 802,
Tunnel-Private-Group-Id == 666,
Tunnel-Type == VLAN,
Filter-Id == "",
Fall-Through = no
Thanks,
Lou Goddard
Network Engineer
302-552-8053
[email protected]
----- Original Message -----
From: Stephen Loeckle <[email protected]>
Sent: Wed, 5/11/2011 12:23pm
To: Enterasys Customer Mailing List <[email protected]>
Subject: [enterasys] HiPath, FreeRADIUS + Filter-ID & Policy Issue
Hi Everyone,
I thought I'd run this by the group before I opened a support ticket. I am
migrating from M$ NPS to Linux/FreeRADIUS integrated with AD. I have it all
working and can authenticate just fine except I can't seem to limit users to a
VNS by using Filter-ID. So, I'm authenticating with winbind and authorizing
with ldap. I even have the LDAP group lookup working great and having
FreeRADIUS return a Filter-ID based on the group membership but the HiPath
doesn't seem to be reading this. It works with NPS but not FR.
Excerpt from users:
DEFAULT Ldap-Group == "DEPT_IS"
Filter-Id = "TechAuthPolicy",
Fall-Through = 0
Excerpt from freeradius -X:
Sending Access-Accept of id 89 to 10.0.0.1 port 33716
Filter-Id = "TechAuthPolicy"
TechAuthPolicy is the name of the policy in the HiPath controller. I can change
the configuration line in the users file for the policy name to something
complete invalid and it still let's me connect to this VNS. Again, this works
fine with NPS but not with FR.
Has anyone seen this? What other information can I provide?
Thank you!
Stephen
P.S. The reason we're moving to FR is so we can use public, not self-signed,
keys for easier wireless configuration for 3000 students
---
To unsubscribe from enterasys, send email to [email protected] with the body:
unsubscribe enterasys [email protected]
------------------ CONFIDENTIALITY NOTICE ---------------
This message, including any attachments, is for the sole use of the
intended recipient(s) and may contain privileged confidential information
protected by law. Any unauthorized review, use, disclosure or distribution
of this message is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of this message.
------------------ CONFIDENTIALITY NOTICE ---------------
---
To unsubscribe from enterasys, send email to [email protected] with the body:
unsubscribe enterasys [email protected]
---
To unsubscribe from enterasys, send email to [email protected] with the body:
unsubscribe enterasys [email protected]
