Chris,
Thanks for the reply. I passed this along to my systems people and they
are checking into it. I have some more details as we were looking at this
today.
When running in debug mode, they run the rad-test utility and see the
filter-id in the challenge packets. What they don't see is the filter-id
included in the access-accept packet going back to the controller.
Hope this helps.
- Don
On Tue, Apr 3, 2012 at 4:45 PM, Christopher Wieringa <[email protected]>wrote:
> It is hard to say exactly why it isn't adding it in without seeing some
> actual configuration or server debugging text, but there are a few areas
> you can check.
>
> First, make sure that you have the dictionary with that radius attribute
> loaded. It should be loaded by default, but it doesn't hurt to check that
> the dictionaries are being loaded. With a quick search it looks like it
> the attribute you want is in the file "dictionary.rfc2865" named
> "Filter-Id". I don't have a copy of FreeRadius 1.x's dictionaries around,
> but the attribute name might have changed slightly in the 2.x series - make
> sure you are referring to it correctly.
>
> Next, make sure that you are populating Filter-Id as a reply attribute -
> are you setting it through a LDAP attribute map, from SQL's radreply or
> radgroupreply tables, or some other method? If you think you are, then I
> would suggest running your radius server in debug mode (./radiusd -X) and
> watching an authentication and see why or why not it is being added to the
> radius reply.
>
> If that still doesn't work, for testing, you can add the following lines
> into your post-auth section of the server config to add the attribute to
> all completed and accepted requests.
>
> update reply {
> Filter-Id := "student"
> }
>
> You also might try the FreeRadius listserv for support as well (make sure
> to include configuration snippets and debugging output), or email me direct
> with the same.
>
> Chris Wieringa
>
>
> >>> On 4/3/2012 at 2:42 PM, "Wright, Don" <[email protected]>
> wrote:
> > We have been testing with the latest version 2.x of FreeRadius and are
> > having trouble passing the Filter-ID information back to our Aruba
> > controllers. Note the packet traces below show the missing Filter-ID in
> > the 2.x version, and where it is present on our functioning version 1.x
> > FreeRadius servers. My systems people have tried different configuration
> > settings on the server based on the documentation they are looking at,
> but
> > without any positive results so far.
> > Does anyone have an idea of what setting might resolve this, or can
> > point us to documentation that shows how this works? Thanks in advance
> for
> > any help.
> >
> > Don Wright
> > Brown University
> >
> > From Version 1.x server:
> >
> > 16:04:51.121056 IP (tos 0x0, ttl 64, id 0, offset 0, flags
> > [DF], proto: UDP (17), length: 207) 10.4.28.15.1645 >
> > 128.148.10.104.32797: RADIUS, length: 179
> > *Access Accept (2)*, id: 0xaa, Authenticator:
> > c85628210672caeedf2c8e3ade84cdfa
> > *Filter ID Attribute (11), length: 9, Value: student*
> > Vendor Specific Attribute (26), length: 58, Value: Vendor:
> > Microsoft (311) [|radius] [|radius]
> >
> >
> > From Version 2.x server:
> >
> > 15:39:34.337535 IP (tos 0x0, ttl 64, id 59206, offset 0, flags
> > [none], proto: UDP (17), length: 197) 10.4.28.12.1645 >
> > 128.148.10.104.33828: RADIUS, length: 169
> > *Access Accept (2)*, id: 0xbf,
> > Authenticator: 85c2f9f515ee8ff6a8bee1d88cae243c
> > Vendor Specific Attribute (26), length: 58, Value: Vendor:
> > Microsoft (311) [|radius] [|radius]
> >
> > **********
> > Participation and subscription information for this EDUCAUSE Constituent
> > Group discussion list can be found at http://www.educause.edu/groups/.
>
>
>
> --
> --
> Chris Wieringa
> [email protected]
> Sr. Systems Engineer
> Calvin Information Technology
>
> **********
> Participation and subscription information for this EDUCAUSE Constituent
> Group discussion list can be found at http://www.educause.edu/groups/.
>
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
