Mikal- Yes, I have done a packet trace. The Filter-Id attribute is sent on the 2nd packet of the authentication attempt, during the first access-challenge. After that, Filter-Id isnt mentioned again until after the Access-Accept packet on the Accounting-Request. However, on the Accounting-Request packet its shown as Students, not Faculty. The whole authentication process is 20 packets, excluding the accounting packets. The only thing I noticed that may be out of the ordinary is that there are 10 access-request packets, with 9 of them being duplicates to the first request. The Filter-Id attribute is only sent on the first challenge response. Im not sure if this is normal or not as I dont have anything to compare to. Do you see something similar with your configuration? On Thu, Dec 2, 2010 at 1:01 PM, mikal <mpm@atceast.com> wrote:
Rob,
You shouldn't need to check the "restrict policy" option. My setup is actually using a Captive Portal for the users to enter credentials. So I start them off with a non-auth policy that uses a "Routed" topology and then once authenticated uses a "Bridge at AP" topology.
So the controller is serving up the CP page, and then I'm using freeradius with a MySQL backend.
Did you capture a trace from the controller interface just to ensure that the attribute/value pair is appearing at the controller interface correctly? Wireless Controller->Utilities->Wireless Controller TCP Dump Management.
So my VNS setup looks like:
VNS Name: SMFC WLAN Service: SMFC Non-Auth policy: SMFC NonAuth Auth Policy: SMFC Auth (support is correct, this will be overwritten if the radius-accept contains a Filter-Id value that matches a configured policy) Restrict policy set unchecked Enable checked
Under VNS Configuration->Policies I have a policy: named Policy Name:NewmanN.
I throw a row in my MySQL radreply table to use a Filter-Id value of NewmanN for a particular user (test.user11 in this case) and I'm off and running. If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. then I get the default policy applied to test.user11. The same behavior that you're seeing.
"ktest Cleartext-Password := "password" Filter-Id = "Faculty"
When I authenticate with this user I get:
Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied.
I get the same msg for an ldap user that has the Filter-Id set to Faculty as well.
For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked
I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan).
How does this compare to your setup? Do I need the restrict policy set option checked and config'd?"
-- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp32894... Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html