Security

For various reasons, I temporarily have to proxy off ethernet based Mac-auths to another (freeraidus) radius server for authentication. The FR server will return an access-accept packet with VLAN information present. What do I have to do at the Enforcement Profile level in my RADIUS proxy service to ensure that these attributes are passd back to the originating RAS device?

Rgds

Alex

Should point out that although my dev server is running 6.5 and there is a radius auth source available, my production setup is running 6.4.5, so I guess I need an answer for 6.4.5 while I play with 6.5

A

o.k

I've created a radius proxy auth source in CPPM 6.5 called UoY Radius Auth Source - 270315. This is so I can proxy off mac-auths to a FreeRadius server that returns a vlan (Tunnel-private-group-id) in the Access-Accept packet




This is the service that's invoked


I can see the mac auth going to the remote server and an access accept coming back with the right attributes in it.

My enforcement policy is shown below



Initially I had the default profile set up [deny access profile] but any auths that came in used that profile, so something is wrong with my condition above.

and the enforcement profile is

All I get out in the Access-Accept packet sent to the switch is


What have i done wrong with my  calculated attributes %{Authorization…….} that they're not visible?

o.k. got the enforcement profile sorted and I'm now returning the correct radius attributes. Just need to sort out the enforcement policy where I select ther enforcement profile. I want to check that the Access-Accept from the remote RADIUS proxy has a Tunnel-Private-Group-Id attribute. How would I do that? If its not there I'll want to invoke another profile.