I believe I have a broken lab, in some regard. Here's what I've done to continue to troubleshooting it.
Questions: is the RADIUS server behaving properly, from the logs and packet captures? I do see it sending back the AVP "FilterId","labguest" in one of the packets, but not in the accept packet at the end. Should it be there as well? Can someone please do a simple test with a working setup and compare?
I attach resulting logs, and RADIUS traffic screenshots from Wireshark.
Other notes:
I did a fresh build -- write erase all and set up just the master, AP, switch, and back-end services.
Added radius1 with the correct host IP and key.
Created ACL "dont-ping-controller".
Created user-role "labguest" designed to allow the user to do everything but ping the controller.
Used wlan wizard to make an 802.1X VAP. There was a checkbox to set up SDR based on Filter-Id, so I used it.
Here's the relevant part of the resulting config:
user-role labguest
access-list session global-sacl
access-list session apprf-labguest-sacl
access-list session dont-ping-controller
access-list session allowall
access-list session v6-allowall
!
aaa authentication-server radius "radius1"
host "192.168.18.249"
key fb11664b1c366e5eca38c6f86a95cd0b34ee938842c55450
!
aaa server-group "Lab-Emp_srvgrp-zud62"
auth-server radius1
set role condition filter-id value-of
!
I notice the code generated by the wizard referred to "filter-id" rather than "Filter-Id". I changed it at the CLI as follows, but it still didn't help. Since Aruba VSAs are also being ignored, that can't be the sole issue in any case.
aaa server-group "Lab-Emp_srvgrp-zud62"
auth-server radius1
set role condition Filter-Id value-of
***This is bad***
(Master1) # show user mac 44:39:c4:59:e5:64
Name: guest123, IP: 192.168.17.37, MAC: 44:39:c4:59:e5:64, Age: 00:00:00
Role: authenticated (how: ROLE_DERIVATION_DOT1X), ACL: 70/0
Authentication: Yes, status: successful, method: 802.1x, protocol: EAP-PEAP, server: radius1
Authentication Servers: dot1x authserver: radius1, mac authserver:
Bandwidth = No Limit
Bandwidth = No Limit
Role Derivation: ROLE_DERIVATION_DOT1X
VLAN Derivation: Default VLAN
***This is good***
(Master1) #aaa test-server mschapv2 radius1 guest123 guest123 verbose
Authentication Successful
Processing time (ms) : 6.301
Attribute value pairs in request
--------------------------------
Vendor Attribute Value
------ --------- -----
NAS-IP-Address 192.168.18.254
NAS-Port-Id 0
NAS-Port-Type Wireless-IEEE802.11
User-Name guest123
Service-Type Login-User
Calling-Station-Id 0.0.0.0
Called-Station-Id 000B86BE91F0
Microsoft MS-CHAP-Challenge \220\024\274\330\2622FP\351\025c\234\234\256Bv
Microsoft MS-CHAP2-Response
Aruba Aruba-Essid-Name
Aruba Aruba-Location-Id N/A
Aruba Aruba-AP-Group N/A
Aruba Aruba-Device-Type
Message-Auth \223.1\222\034n\362E\224\217\307\371\211\237\3527
PW_RADIUS_ID E
Rad-Length 199
Attribute value pairs in response
---------------------------------
Vendor Attribute Value
------ --------- -----
Service-Type Framed-User
Filter-Id labguest
Microsoft MS-CHAP2-Success
Microsoft MS-MPPE-Recv-Key \307\354$s\277c\215\262|\246\312F\216\275\025v\032\305K\212\271J\370+\225#\314*i\324\321\001
Microsoft MS-MPPE-Send-Key \3137\217\0117<\001#L\212\177\303\023\356\374("\016d#\017\217+a\022\311\214B\273;\260\256V\004
Microsoft MS-MPPE-Encryption-Policy
Microsoft MS-MPPE-Encryption-Types
PW_RADIUS_ID E
Rad-Length 195
PW_RADIUS_CODE \002
PW_RAD_AUTHENTICATOR \274\335\332\250~*\2647\253\321\210\370\016aA.