sending Filter-Id to another accounting server - need help

Eby Mani eby_km at yahoo.com
Thu Mar 2 19:57:03 CET 2017 

Hi Alan,

I have 3 NAS, one for wireless/wired access, one firewall for internet access and another firewall for restricted network access. Both firewalls are in radius accounting listen mode and have built in log and reporting functions.

Internet firewall is configured to provide radius single sign-on based on user group which is passed via "Class" attribute. 
This works fine.

The other firewall is configured to provide radius single sign-on based on user group and "magic key" which is passed via "Filter-Id" attribute. Any user without the "magic key" is not allowed to the network. 
This is not working as Filter-Id is not sent by radius server.

I can tell radius server is not sending Filter-Id to the NAS mentioned in copy-acct-to-home-server, but it is sending Filter-Id back to the wireless/wired NAS. 

radius debug says,

# Executing section accounting from file
/etc/freeradius/sites-enabled/copy-acct-to-home-server
+- entering group accounting {...}
++[ok] returns ok
} # server copy-acct-to-home-server
  WARNING: Empty pre-proxy section.  Using default return values.

The question is how to tell radius server to include Filter-Id values to restricted network firewall ?. 

I assume adding Filter-Id to the "attrs" file will work without any additional configuration, but i don't want to do that unless that is the only solution.

Thanks,

Eby


--------------------------------------------
On Wed, 1/3/17, Alan DeKok <aland at deployingradius.com> wrote:

 Subject: Re: sending Filter-Id to another accounting server - need help
 To: "Eby Mani" <eby_km at yahoo.com>, "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
 Date: Wednesday, 1 March, 2017, 7:22 PM
 
 On Mar 1, 2017, at 2:11
 PM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org>
 wrote:
 > 
 > How do i
 configure freeradius to send user based Filter-Id to an
 accounting server?. Each user will have different Filter-Id
 value, users without any Filter-Id string will be denied
 access on the another NAS(listen only).
 >
 
 > I have the following in post-auth
 section of sites-enabled/default
 > 
 > update reply {
 >
 Filter-Id = "%{sql:SELECT `value` FROM `radreply`
 WHERE
 >
 `username`='%{User-Name}';}
 >
 }
 
   That updates the
 Access-Accept.
 
 >
 Freeradius is sending Filter-Id back to the user connected
 NAS, but not to the accounting server(another NAS, listen
 only).
 
   I have no idea
 what that means.
 
 > To
 which section should i add the update reply{} section in
 copy-acct-to-home-server file ? or is there a special
 command to include Filter-Id ?.
 
   I have no idea what that means, either.
 
   Please explain what you
 want to do.  This time, using more detail.  What packet is
 the server receiving?  What has to be updated?  What
 packet is the server sending?
 
   Your question assumes that we already know
 what you're doing.  We don't.  You need to explain
 it.
 
   Alan DeKok.

More information about the Freeradius-Users mailing list