cancel
Showing results for 
Search instead for 
Did you mean: 

ERS4900 Enhanced Secure Mode & RADIUS

ERS4900 Enhanced Secure Mode & RADIUS

bfaltys
Contributor II
Has anyone gotten this to work? I've enabled enhanced secure mode, configured 2 radius servers, set cli password telnet radius. However, when I go to login it says authentication failed, but on the Windows server it shows audit success. Wireshark also sees the radius accept message. We have other Extreme/Avaya switches (VSP & ERS) and we can login to anything not running in enhanced secure mode. Is there some additional attribute we need to send back to the switch?
1 ACCEPTED SOLUTION

bfaltys
Contributor II
After a lot of digging I finally have the answer. There is an additional RADIUS attribute that needs to be sent back to the switch. The NAS-Filter-Rule attribute was the key. We had to edit C:\Windows\System32\ias\dnary (XML file) to add the attribute to the list in NPS. Added this bit of code:

<Attribute>
        <ID>92</ID>
        <Name>NAS-Filter-Rule</Name>
        <Syntax>OctetString</Syntax>
        <MultiValued>1</MultiValued>
        <Is-Security-Sensitive>0</Is-Security-Sensitive>
        <IsAllowedInProfile>1</IsAllowedInProfile>
        <IsAllowedInCondition>0</IsAllowedInCondition>
        <IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
        <IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
        <LDAPName>msRADIUSNASFilterRule</LDAPName>
        <IsTunnelAttribute>0</IsTunnelAttribute>
    </Attribute>

After rebooting the server I was then able to add this attribute to a network policy in NPS.

6b536d417d06441b86894f48580f7c95.png

View solution in original post

1 REPLY 1

bfaltys
Contributor II
After a lot of digging I finally have the answer. There is an additional RADIUS attribute that needs to be sent back to the switch. The NAS-Filter-Rule attribute was the key. We had to edit C:\Windows\System32\ias\dnary (XML file) to add the attribute to the list in NPS. Added this bit of code:

<Attribute>
        <ID>92</ID>
        <Name>NAS-Filter-Rule</Name>
        <Syntax>OctetString</Syntax>
        <MultiValued>1</MultiValued>
        <Is-Security-Sensitive>0</Is-Security-Sensitive>
        <IsAllowedInProfile>1</IsAllowedInProfile>
        <IsAllowedInCondition>0</IsAllowedInCondition>
        <IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
        <IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
        <LDAPName>msRADIUSNASFilterRule</LDAPName>
        <IsTunnelAttribute>0</IsTunnelAttribute>
    </Attribute>

After rebooting the server I was then able to add this attribute to a network policy in NPS.

6b536d417d06441b86894f48580f7c95.png

GTM-P2G8KFN