cancel
Showing results for 
Search instead for 
Did you mean: 

XIQ-SE how to check NAS Identifier in Rule

XIQ-SE how to check NAS Identifier in Rule

xiqa
New Contributor II

We have an XIQ-C with several WLANs that authenticates the users/machines on a Windows NPS Server. We'd like to migrate the RADIUS Server from the Windows NPS Server to our XIQ-SE. 

The AAA Groups on the XIQ-C are configured with a NAS ID, because that is one of the checks on the NPS Server to differentiate between different authentication protocol types (EAP-TLS and EAP-PEAP) that are used by the clients. 

Now I'd like to implement the same logic on our XIQ-SE, but I can't find where I can check the NAS ID value in a new rule. Can someone help me? 

3 REPLIES 3

Ryan_Yacobucci
Extreme Employee

Hello,

I'm interested in how you have configured your environment in such a way that the NAS Identifier is a reflection of how to differentiate between protocol types. Typically protocol types are negotiated by clients, it's common that multiple EAP types can be handled by a single NAS Identifier. 

I think you can utilize the "RADIUS User Group" function to key off this RADIUS AVP. I seem to remember a directionality component of it (We may only be able to key off of RADIUS accept AVPs from the NPS server and not RADIUS request AVPs headed to the NPS server), but we'll cross that bridge when we come to it.

We can enable debug and see what AVPs are being sent for evaluation from the RADIUS engine. Once you have proxy RADIUS configured and functioning set up debug. 

To enable RADIUS debug (Right click the NAC --> WebView --> Diagnostics --> Appliance/Server Diagnostics)

set:

"Authentication Request Processing - RADIUS" 
"Authentication Request Processing - EAC" 
"Rules Engine - Low level criteria"
"Rules Engine - Authentication"
"Rules Engine - Authorization"

To "Verbose"

 

When the debug is set up, have a test end system authenticate to the network. You will need to disassociate the wiresless client, or link down/link up a wired end system to make sure an authentication has completed.

Once completed reset debug to defaults. 

/var/log/radius/radius/log
/var/log/tag.log

These files will show you how the authentication was processed. 

To see how the AVPs are being transferred for evaluation you can look for the last 3 octets of the MAC in "XX-XX-XX" format in the tag.log. 
Prior to the Post auth evaluation there will be an attribute dump that contains all attributes available for evaluation.

You may be able to create a RADIUS user group for "NAS-Identifier" and as a value use the desired NAS identifier that is being configured.

The tag.log will also show you how the evaluation for the rule was performed to match the configured AVP. Hopefully you should be able to find the AVP in the attribute dump for the post auth evaluation (There are multiple evaluations), and the rule engine run match the value during rules evaluation. 

Thanks
-Ryan

 

xiqa
New Contributor II

Hi Ryan

I inherited this setup. On XIQ-C there are two SSID's that are configured, so your response got me thinking. One of them is used for the EAP-TLS authentication protocol and the other is for the EAP-PEAP. On the NPS server the conditions that are checked to differentiate between both SSID's is the NAS Identifier. But I could use the SSID as a condition on the XIQ-SE to differentiate between both and could achieve the same result. 

Thank you very much. 

OscarK
Extreme Employee

In AAA you can create rules and locations where the location is the switch IP.

GTM-P2G8KFN