Stephen, I'd be interested in looking at the configuration on the Enterasys Wireless Controller and the trace to help determine the root cause. I'm confident we can get this working for you. Please feel free to contact me directly [email protected]
Regards, Doug Hyde | Escalation Support Engineer Enterasys Networks | A Siemens Enterprise Communications Company Office: 978.684.1048 | Toll Free: 800.872.8440 Email: [email protected] Twitter ID: DHyde_17 -----Original Message----- From: Stephen Loeckle [mailto:[email protected]] Sent: Wednesday, June 01, 2011 12:21 PM To: Enterasys Customer Mailing List Subject: Re: [enterasys] HiPath, FreeRADIUS + Filter-ID & Policy Issue It's been a crazy couple weeks. I was finally able to look at this some more. Thanks for the suggestion. I checked that and it didn't make any difference. According to their documentation: Attribute = Value Not allowed as a check item for RADIUS protocol attributes. It is allowed for server configuration attributes (Auth-Type, etc), and sets the value of on attribute, only if there is no other item of the same attribute. As a reply item, it means "add the item to the reply list, but only if there is no other item of the same attribute." Attribute == Value As a check item, it matches if the named attribute is present in the request, AND has the given value. Not allowed as a reply item. I've done some sniffing from the controller itself and it appears to be receiving the Filter-Id information: AVP: l=16 t=Filter-Id(11): TechAuthPolicy or AVP: l=18 t=Filter-Id(11): TechAuthPooolicy Still, regardless of the Filter-Id matching the policy or not, it still allows me access. Any ideas for other stuff I should be looking for? Thanks so much! Stephen ----- Original Message ----- From: "Lou H. Goddard" <[email protected]> To: "Enterasys Customer Mailing List" <[email protected]> Sent: Wednesday, May 11, 2011 11:44:09 AM Subject: RE: [enterasys] HiPath, FreeRADIUS + Filter-ID & Policy Issue DEFAULT Ldap-Group == "DEPT_IS" Filter-Id = "TechAuthPolicy", Fall-Through = 0 Maybe you need a double equals on the Filter-ID line above? I just checked my configuration. It is using double-equals. My example: DEFAULT NAS-Port-Type == "Wireless-802.11", Group != "wireless",NAS-Identifier =~ "^HLA" Tunnel-Medium-Type == 802, Tunnel-Private-Group-Id == 666, Tunnel-Type == VLAN, Filter-Id == "", Fall-Through = no Thanks, Lou Goddard Network Engineer 302-552-8053 [email protected] ----- Original Message ----- From: Stephen Loeckle <[email protected]> Sent: Wed, 5/11/2011 12:23pm To: Enterasys Customer Mailing List <[email protected]> Subject: [enterasys] HiPath, FreeRADIUS + Filter-ID & Policy Issue Hi Everyone, I thought I'd run this by the group before I opened a support ticket. I am migrating from M$ NPS to Linux/FreeRADIUS integrated with AD. I have it all working and can authenticate just fine except I can't seem to limit users to a VNS by using Filter-ID. So, I'm authenticating with winbind and authorizing with ldap. I even have the LDAP group lookup working great and having FreeRADIUS return a Filter-ID based on the group membership but the HiPath doesn't seem to be reading this. It works with NPS but not FR. Excerpt from users: DEFAULT Ldap-Group == "DEPT_IS" Filter-Id = "TechAuthPolicy", Fall-Through = 0 Excerpt from freeradius -X: Sending Access-Accept of id 89 to 10.0.0.1 port 33716 Filter-Id = "TechAuthPolicy" TechAuthPolicy is the name of the policy in the HiPath controller. I can change the configuration line in the users file for the policy name to something complete invalid and it still let's me connect to this VNS. Again, this works fine with NPS but not with FR. Has anyone seen this? What other information can I provide? Thank you! Stephen P.S. The reason we're moving to FR is so we can use public, not self-signed, keys for easier wireless configuration for 3000 students --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] ------------------ CONFIDENTIALITY NOTICE --------------- This message, including any attachments, is for the sole use of the intended recipient(s) and may contain privileged confidential information protected by law. Any unauthorized review, use, disclosure or distribution of this message is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of this message. ------------------ CONFIDENTIALITY NOTICE --------------- --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected] --- To unsubscribe from enterasys, send email to [email protected] with the body: unsubscribe enterasys [email protected]
