This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ERS4900 Enhanced Secure Mode & RADIUS

ERS4900 Enhanced Secure Mode & RADIUS

Go to solution
bfaltys
Contributor II

‎02-24-2022 11:29 AM

Has anyone gotten this to work? I've enabled enhanced secure mode, configured 2 radius servers, set cli password telnet radius. However, when I go to login it says authentication failed, but on the Windows server it shows audit success. Wireshark also sees the radius accept message. We have other Extreme/Avaya switches (VSP & ERS) and we can login to anything not running in enhanced secure mode. Is there some additional attribute we need to send back to the switch?
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
bfaltys
Contributor II

‎03-03-2022 09:37 AM

After a lot of digging I finally have the answer. There is an additional RADIUS attribute that needs to be sent back to the switch. The NAS-Filter-Rule attribute was the key. We had to edit C:\Windows\System32\ias\dnary (XML file) to add the attribute to the list in NPS. Added this bit of code:

<Attribute>
        <ID>92</ID>
        <Name>NAS-Filter-Rule</Name>
        <Syntax>OctetString</Syntax>
        <MultiValued>1</MultiValued>
        <Is-Security-Sensitive>0</Is-Security-Sensitive>
        <IsAllowedInProfile>1</IsAllowedInProfile>
        <IsAllowedInCondition>0</IsAllowedInCondition>
        <IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
        <IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
        <LDAPName>msRADIUSNASFilterRule</LDAPName>
        <IsTunnelAttribute>0</IsTunnelAttribute>
    </Attribute>

After rebooting the server I was then able to add this attribute to a network policy in NPS.

6b536d417d06441b86894f48580f7c95.png

View solution in original post

0 Kudos
1 REPLY 1

Go to solution
bfaltys
Contributor II

‎03-03-2022 09:37 AM

After a lot of digging I finally have the answer. There is an additional RADIUS attribute that needs to be sent back to the switch. The NAS-Filter-Rule attribute was the key. We had to edit C:\Windows\System32\ias\dnary (XML file) to add the attribute to the list in NPS. Added this bit of code:

<Attribute>
        <ID>92</ID>
        <Name>NAS-Filter-Rule</Name>
        <Syntax>OctetString</Syntax>
        <MultiValued>1</MultiValued>
        <Is-Security-Sensitive>0</Is-Security-Sensitive>
        <IsAllowedInProfile>1</IsAllowedInProfile>
        <IsAllowedInCondition>0</IsAllowedInCondition>
        <IsAllowedInProxyProfile>1</IsAllowedInProxyProfile>
        <IsAllowedInProxyCondition>0</IsAllowedInProxyCondition>
        <LDAPName>msRADIUSNASFilterRule</LDAPName>
        <IsTunnelAttribute>0</IsTunnelAttribute>
    </Attribute>

After rebooting the server I was then able to add this attribute to a network policy in NPS.

6b536d417d06441b86894f48580f7c95.png

0 Kudos
GTM-P2G8KFN