Attribute not passing to NAS?
Rob Yamry
ryamry at kimberly.k12.wi.us
Thu Dec 2 21:15:45 CET 2010
Mikal-
Yes, I have done a packet trace. The Filter-Id attribute is sent on the
2nd packet of the authentication attempt, during the first
access-challenge. After that, Filter-Id isnt mentioned again until after
the Access-Accept packet on the Accounting-Request. However, on the
Accounting-Request packet its shown as Students, not Faculty. The whole
authentication process is 20 packets, excluding the accounting packets. The
only thing I noticed that may be out of the ordinary is that there are 10
access-request packets, with 9 of them being duplicates to the first
request. The Filter-Id attribute is only sent on the first challenge
response. Im not sure if this is normal or not as I dont have anything to
compare to.
Do you see something similar with your configuration?
On Thu, Dec 2, 2010 at 1:01 PM, mikal <mpm at atceast.com> wrote:
>
> Rob,
>
> You shouldn't need to check the "restrict policy" option. My setup is
> actually using a Captive Portal for the users to enter credentials. So I
> start them off with a non-auth policy that uses a "Routed" topology and
> then
> once authenticated uses a "Bridge at AP" topology.
>
> So the controller is serving up the CP page, and then I'm using freeradius
> with a MySQL backend.
>
> Did you capture a trace from the controller interface just to ensure that
> the attribute/value pair is appearing at the controller interface
> correctly?
> Wireless Controller->Utilities->Wireless Controller TCP Dump Management.
>
> So my VNS setup looks like:
>
> VNS Name: SMFC
> WLAN Service: SMFC
> Non-Auth policy: SMFC NonAuth
> Auth Policy: SMFC Auth (support is correct, this will be
> overwritten if the radius-accept contains a Filter-Id value that matches a
> configured policy)
> Restrict policy set unchecked
> Enable checked
>
> Under VNS Configuration->Policies I have a policy: named Policy
> Name:NewmanN.
>
> I throw a row in my MySQL radreply table to use a Filter-Id value of
> NewmanN
> for a particular user (test.user11 in this case) and I'm off and running.
> If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc.
> then I get the default policy applied to test.user11. The same behavior
> that you're seeing.
>
> "ktest Cleartext-Password := "password"
> Filter-Id = "Faculty"
>
> When I authenticate with this user I get:
>
> Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID
> [TEST]
> from VNS [TEST] with username [ktest] has been successfully authenticated.
> Policy [Students] is applied.
>
> I get the same msg for an ldap user that has the Filter-Id set to Faculty
> as
> well.
>
> For comparison, on the controller my vns settings include:
> VNS Name: TEST
> WLAN Service: TESTWLAN
> Non-Auth policy: NonAuth
> Auth Policy: Students (support told me this doesnt matter
> what
> its set to...the Filter-Id will override this)
> Restrict policy set unchecked
> Enable checked
>
> I have another policy named Faculty that is assigned the AuthFaculty
> topology (which sets the tagged vlan).
>
> How does this compare to your setup? Do I need the restrict policy set
> option checked and config'd?"
>
> --
> View this message in context:
> http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html
> Sent from the FreeRadius - User mailing list archive at Nabble.com.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101202/a23e136d/attachment.html>
More information about the Freeradius-Users
mailing list