Mikal- Yes, I have done a packet trace. The Filter-Id attribute is sent on the 2nd packet of the authentication attempt, during the first access-challenge. After that, Filter-Id isnt mentioned again until after the Access-Accept packet on the Accounting-Request. However, on the Accounting-Request packet its shown as Students, not Faculty. The whole authentication process is 20 packets, excluding the accounting packets. The only thing I noticed that may be out of the ordinary is that there are 10 access-request packets, with 9 of them being duplicates to the first request. The Filter-Id attribute is only sent on the first challenge response. Im not sure if this is normal or not as I dont have anything to compare to.
Do you see something similar with your configuration? On Thu, Dec 2, 2010 at 1:01 PM, mikal <[email protected]> wrote: > > Rob, > > You shouldn't need to check the "restrict policy" option. My setup is > actually using a Captive Portal for the users to enter credentials. So I > start them off with a non-auth policy that uses a "Routed" topology and > then > once authenticated uses a "Bridge at AP" topology. > > So the controller is serving up the CP page, and then I'm using freeradius > with a MySQL backend. > > Did you capture a trace from the controller interface just to ensure that > the attribute/value pair is appearing at the controller interface > correctly? > Wireless Controller->Utilities->Wireless Controller TCP Dump Management. > > So my VNS setup looks like: > > VNS Name: SMFC > WLAN Service: SMFC > Non-Auth policy: SMFC NonAuth > Auth Policy: SMFC Auth (support is correct, this will be > overwritten if the radius-accept contains a Filter-Id value that matches a > configured policy) > Restrict policy set unchecked > Enable checked > > Under VNS Configuration->Policies I have a policy: named Policy > Name:NewmanN. > > I throw a row in my MySQL radreply table to use a Filter-Id value of > NewmanN > for a particular user (test.user11 in this case) and I'm off and running. > If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. > then I get the default policy applied to test.user11. The same behavior > that you're seeing. > > "ktest Cleartext-Password := "password" > Filter-Id = "Faculty" > > When I authenticate with this user I get: > > Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID > [TEST] > from VNS [TEST] with username [ktest] has been successfully authenticated. > Policy [Students] is applied. > > I get the same msg for an ldap user that has the Filter-Id set to Faculty > as > well. > > For comparison, on the controller my vns settings include: > VNS Name: TEST > WLAN Service: TESTWLAN > Non-Auth policy: NonAuth > Auth Policy: Students (support told me this doesnt matter > what > its set to...the Filter-Id will override this) > Restrict policy set unchecked > Enable checked > > I have another policy named Faculty that is assigned the AuthFaculty > topology (which sets the tagged vlan). > > How does this compare to your setup? Do I need the restrict policy set > option checked and config'd?" > > -- > View this message in context: > http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html > Sent from the FreeRadius - User mailing list archive at Nabble.com. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
