Header Only - DO NOT REMOVE - Extreme Networks

A FilterID is required for Management Access, in most cases of Radius Implementation


Userlevel 3
Article ID: 5199

Protocols/Features
Radius

Standards
802.1X

Goals
Authenticate to a Radius Server
Configure Filter ID
Configure FilterID

Symptoms
Can't access serial management
Host management session fails
Radius authentication
Radius server authenticates user
Server log indicates successful user authentication
"waiting for authorization"
adius supplicant still awaiting authorization
Radius login solicitation repeats
"Block Authenticated"
RADIUS[1]: Filter-Id: Unsupported Filter-Id: "enterasys:version=1:mgmt=su:policy=Administrator"

Cause
When the Radius Client feature is active on a switch/router, a user attempting to access the host entity via the local console LM, Telnet to LM, or WebView application is prompted by an authorization screen for a user (supplicant) login name and password.

The embedded Radius Client encrypts the information entered by the user and sends it to the Radius Server for validation. Then the server returns an access-accept or access-denied response back to the client, allowing or denying the supplicant access to the host application.

An access-accept response includes a FilterID string, which connects the authorization policy with the access level to be granted to the supplicant. The absence of a configured FilterID will result in the symptoms stated above.

Of all Radius-capable Enterasys devices, only the X-Pedition router and RoamAbout R2 do not require the FilterID information, using the default policy if no FilterID is returned with an access-accept response.

Solution
Configure a FilterID string on the Radius server.

For Enterasys devices, the format is "Enterasys:version=V:mgmt=M:policy=N" (omit the quotes!), where:
    V is the version number (1); M is the management access level to be granted (su or rw or ro); N is the policy profile name.
Example: Enterasys:version=1:mgmt=su:policy=MyMgmtPolicy

Note: The only known scenario for which case sensitivity is a factor are early firmware versions of the SecureStack/G/D-Series products, which requires the capitalization of the "E" in Enterasys in order for Management authentication to occur. It is not case-sensitive for Network/user authentication, and even for Management authentication is no longer case-sensitive as of C3/C2/B3/B2/G-Series f/w x.02.02.0009, A2-Series f/w 2.01.10.0001, and D-Series f/w 6.03.01.0008.

The need for this information is independent of which brand of Radius Server is in use. These include, to name a few; Microsoft IAS, Funk Steel-Belted Radius, Meetinghouse, and Free Radius.

To access the FilterID in Win2000's IAS:
  1. locate the Internet Authentication Service
  2. locate the Remote Access Policies underneath it
  3. click on the policy profile to be used, and write down the name
  4. click the Edit Profile button
  5. select the Advanced tab
  6. select the Filter-Id attribute, if it exists
  7. Add / Remove / Edit the Filter-Id as necessary, using the policy profile name from step 3 as the value for variable N.
Additional hints:
  • The minimum additional information that must be configured to use a server is its IP and shared secret.
  • The secondary server is always consulted if it has been configured with its IP and Shared Secret.
  • If communication is lost to all servers, and the user is connected to the local console serial port (or is remotely connected to the serial port by means of remote and local modems), the authorization screen will change to allow access to the switch by using the Local Management Module password.
  • If the user is connected remotely via telnet or WebView, the switch will continue to deny access until communication with the Radius Server is operational again.
  • There is no need to have the Radius login name configured on the Client device, as a Radius access-accept action totally overrides the login names and passwords configured on the Client.
  • If policy is implemented using NetSight Policy Manager, the FilteriId corresponds with a named policy as defined within that application.
  • In most cases, if a policy is not found to match the returned FilterID, either the default policy (if it exists) will be used or no specific refusal action will be taken.
  • For the RoamAbout R2, if a policy is not found to match the returned FilterID, the client's traffic will be blocked, and the client will show up in AP Manager's Client screen as "Blocked / Authenticated". For these cases, either correct so a match will occur, or remove the FilterID from the server.

0 replies

Be the first to reply!

Reply