Frequent Contributor I

Firewall SSO via RADIUS Accounting Using Filter-ID with NPS

I've configured our 802.1x SSIDs to send RADIUS accounting information to our firewall to associate users/computers with IP addresses. We are using Microsoft's NPS server using the User-Name and Class attributes. The Class attribute associates the user/computer with a firewall group. Some entries don't have the group entry. Doing a packet capture at the firewall shows that not all packets have the Class attribute. I think it is the same NPS issue discussed on this page,


So, what I'd like to try is using the Filter-Id attribute instead. After telling the firewall to use the Filter-Id, no group info is populated at the firewall.


Doing a packet capture on the NPS server shows the Filter-ID attribute in the Access-Accept packets. 


A debug on the controller shows the field:

Apr 8 10:16:27 :121031: <DBUG> |authmgr| |aaa| [rc_api.c:1156] Filter-Id: TestGroup


Doing a capture of the accounting packet at the firewall doesn't show the field. 


It is as if the controller isn't passing the Filter-Id to the firewall in the accounting packet. Has anyone seen this or have any suggestions on how to resolve it? Or am I looking at this entirely wrong?




Frequent Contributor I

Re: Firewall SSO via RADIUS Accounting Using Filter-ID with NPS

If I'm looking at the correct RFC, it looks like Filter-Id is a valid attribute for RADIUS accounting.

Search Airheads
Showing results for 
Search instead for 
Did you mean: