Attribute not passing to NAS?

Rob Yamry ryamry at
Thu Dec 2 21:15:45 CET 2010

  Yes, I have done a packet trace.  The Filter-Id attribute is sent on the
2nd packet of the authentication attempt, during the first
access-challenge.  After that, Filter-Id isnt mentioned again until after
the Access-Accept packet on the Accounting-Request.  However, on the
Accounting-Request packet its shown as Students, not Faculty.  The whole
authentication process is 20 packets, excluding the accounting packets.  The
only thing I noticed that may be out of the ordinary is that there are 10
access-request packets, with 9 of them being duplicates to the first
request.  The Filter-Id attribute is only sent on the first challenge
response. Im not sure if this is normal or not as I dont have anything to
compare to.

Do you see something similar with your configuration?

On Thu, Dec 2, 2010 at 1:01 PM, mikal <mpm at> wrote:

> Rob,
> You shouldn't need to check the "restrict policy" option.  My setup is
> actually using a Captive Portal for the users to enter credentials.  So I
> start them off with a non-auth policy that uses a "Routed" topology and
> then
> once authenticated uses a "Bridge at AP" topology.
> So the controller is serving up the CP page, and then I'm using freeradius
> with a MySQL backend.
> Did you capture a trace from the controller interface just to ensure that
> the attribute/value pair is appearing at the controller interface
> correctly?
> Wireless Controller->Utilities->Wireless Controller TCP Dump Management.
> So my VNS setup looks like:
> VNS Name: SMFC
> WLAN Service: SMFC
> Non-Auth policy: SMFC NonAuth
> Auth Policy: SMFC Auth               (support is correct, this will be
> overwritten if the radius-accept contains a Filter-Id value that matches a
> configured policy)
> Restrict policy set unchecked
> Enable checked
> Under VNS Configuration->Policies I have a policy: named Policy
> Name:NewmanN.
> I throw a row in my MySQL radreply table to use a Filter-Id value of
> NewmanN
> for a particular user (test.user11 in this case) and I'm off and running.
> If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc.
> then I get the default policy applied to test.user11.  The same behavior
> that you're seeing.
> "ktest   Cleartext-Password := "password"
>        Filter-Id = "Faculty"
> When I authenticate with this user I get:
> Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID
> [TEST]
> from VNS [TEST] with username [ktest] has been successfully authenticated.
> Policy [Students] is applied.
> I get the same msg for an ldap user that has the Filter-Id set to Faculty
> as
> well.
> For comparison, on the controller my vns settings include:
> VNS Name: TEST
> Non-Auth policy: NonAuth
> Auth Policy: Students               (support told me this doesnt matter
> what
> its set to...the Filter-Id will override this)
> Restrict policy set unchecked
> Enable checked
> I have another policy named Faculty that is assigned the AuthFaculty
> topology (which sets the tagged vlan).
> How does this compare to your setup?  Do I need the restrict policy set
> option checked and config'd?"
> --
> View this message in context:
> Sent from the FreeRadius - User mailing list archive at
> -
> List info/subscribe/unsubscribe? See
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list