04-08-2015 08:29 AM
I've configured our 802.1x SSIDs to send RADIUS accounting information to our firewall to associate users/computers with IP addresses. We are using Microsoft's NPS server using the User-Name and Class attributes. The Class attribute associates the user/computer with a firewall group. Some entries don't have the group entry. Doing a packet capture at the firewall shows that not all packets have the Class attribute. I think it is the same NPS issue discussed on this page, http://www.nicklowe.org/2013/08/nps-class-attribute-bug/
So, what I'd like to try is using the Filter-Id attribute instead. After telling the firewall to use the Filter-Id, no group info is populated at the firewall.
Doing a packet capture on the NPS server shows the Filter-ID attribute in the Access-Accept packets.
A debug on the controller shows the field:
Apr 8 10:16:27 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1156] Filter-Id: TestGroup
Doing a capture of the accounting packet at the firewall doesn't show the field.
It is as if the controller isn't passing the Filter-Id to the firewall in the accounting packet. Has anyone seen this or have any suggestions on how to resolve it? Or am I looking at this entirely wrong?