Security

Reply
Frequent Contributor I
Posts: 79
Registered: ‎05-15-2012

Firewall SSO via RADIUS Accounting Using Filter-ID with NPS

I've configured our 802.1x SSIDs to send RADIUS accounting information to our firewall to associate users/computers with IP addresses. We are using Microsoft's NPS server using the User-Name and Class attributes. The Class attribute associates the user/computer with a firewall group. Some entries don't have the group entry. Doing a packet capture at the firewall shows that not all packets have the Class attribute. I think it is the same NPS issue discussed on this page, http://www.nicklowe.org/2013/08/nps-class-attribute-bug/

 

So, what I'd like to try is using the Filter-Id attribute instead. After telling the firewall to use the Filter-Id, no group info is populated at the firewall.

 

Doing a packet capture on the NPS server shows the Filter-ID attribute in the Access-Accept packets. 

 

A debug on the controller shows the field:

Apr 8 10:16:27 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1156] Filter-Id: TestGroup

 

Doing a capture of the accounting packet at the firewall doesn't show the field. 

 

It is as if the controller isn't passing the Filter-Id to the firewall in the accounting packet. Has anyone seen this or have any suggestions on how to resolve it? Or am I looking at this entirely wrong?

 

Thanks,
Robert

 

Frequent Contributor I
Posts: 79
Registered: ‎05-15-2012

Re: Firewall SSO via RADIUS Accounting Using Filter-ID with NPS

If I'm looking at the correct RFC, it looks like Filter-Id is a valid attribute for RADIUS accounting.

Search Airheads
Showing results for 
Search instead for 
Did you mean: