sending Filter-Id to another accounting server - need help

Alan DeKok aland at deployingradius.com
Thu Mar 2 22:58:37 CET 2017 

On Mar 2, 2017, at 1:57 PM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:,
> 
> 
> I have 3 NAS, one for wireless/wired access, one firewall for internet access and another firewall for restricted network access. Both firewalls are in radius accounting listen mode and have built in log and reporting functions.
> 
> Internet firewall is configured to provide radius single sign-on based on user group which is passed via "Class" attribute. 
> This works fine.
> 
> The other firewall is configured to provide radius single sign-on based on user group and "magic key" which is passed via "Filter-Id" attribute. Any user without the "magic key" is not allowed to the network. 
> This is not working as Filter-Id is not sent by radius server.

  I'm still not clear on what you want it to do.

 I asked you to the packets the server is receiving and sending.  Instead, you reply with a description of the systems involved.

  If you have any intention of solving the problem, you will need to (a) follow instructions, and (b) describe the problem in a way that other people can understand

> I can tell radius server is not sending Filter-Id to the NAS mentioned in copy-acct-to-home-server, but it is sending Filter-Id back to the wireless/wired NAS. 

  I have no idea what that means.

  I don't have access to your system.  I don't know how you've configured it.  I don't know what you want it to do.

  Your messages assume that I already know everything you know... without you every telling me anything useful.  That's a big problem.

> radius debug says,
> 
> # Executing section accounting from file
> /etc/freeradius/sites-enabled/copy-acct-to-home-server
> +- entering group accounting {...}
> ++[ok] returns ok
> } # server copy-acct-to-home-server
>  WARNING: Empty pre-proxy section.  Using default return values.
> 
> The question is how to tell radius server to include Filter-Id values to restricted network firewall ?. 

  You configure the server to send a Filter-ID.  It's not difficult.

  What *is* difficult, apparently, is for you to describe what it is you want, what you've done, and what's actually going on.  If you can't do that, you won't ever love the problem.

> I assume adding Filter-Id to the "attrs" file will work without any additional configuration, but i don't want to do that unless that is the only solution.

  I have no idea what that means.

  Alan DeKok.

More information about the Freeradius-Users mailing list