ExtremeSwitching (Other)

 View Only
  • 1.  ERS4900 Enhanced Secure Mode & RADIUS

    Posted 02-24-2022 11:29
    Has anyone gotten this to work? I've enabled enhanced secure mode, configured 2 radius servers, set cli password telnet radius. However, when I go to login it says authentication failed, but on the Windows server it shows audit success. Wireshark also sees the radius accept message. We have other Extreme/Avaya switches (VSP & ERS) and we can login to anything not running in enhanced secure mode. Is there some additional attribute we need to send back to the switch?


  • 2.  RE: ERS4900 Enhanced Secure Mode & RADIUS
    Best Answer

    Posted 03-03-2022 09:37
    After a lot of digging I finally have the answer. There is an additional RADIUS attribute that needs to be sent back to the switch. The NAS-Filter-Rule attribute was the key. We had to edit C:\Windows\System32\ias\dnary (XML file) to add the attribute to the list in NPS. Added this bit of code:

    <Attribute>
            <ID>92</ID>
            <Name>NAS-Filter-Rule</Name>
            <Syntax>OctetString</Syntax>
            <MultiValued>1</MultiValued>
            <Is-Security-Sensitive>0</Is-Security-Sensitive>
            <IsAllowedInProfile>1</IsAllowedInProfile>
            <IsAllowedInCondition>0</IsAllowedInCondition>
            <IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
            <IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
            <LDAPName>msRADIUSNASFilterRule</LDAPName>
            <IsTunnelAttribute>0</IsTunnelAttribute>
        </Attribute>

    After rebooting the server I was then able to add this attribute to a network policy in NPS.