Client Auth and Radius Class Attribute

[phillyTD]

I have been searching these forums for any information on proper configuration of Radius and the Class attribute to lock users into certain rules. We had it working a while back where the class attribute matched the group name of the rule, so users logging would see "authenticated by Radius using nn rules" We use RSA's steel belted radius to do this. Since an upgrade to a patched version of RSA, I now see users connect and authenticate with all of our rules. It doesn't matter even if the class attribute has no matching ruleset on SmartDashboard.

I don't see anywhere in the logs where the class attribute is being seen. I also wonder why it is defaulting to all of the rules and not just denying all if they don't get a match. I know the class attribute is working, we have another VPN service that uses this and locks users into groups.

We need to lock users into the rules they need, and with thousands of existing users, cannot duplicate the user database on SmartDashboard, so want to depend on the generic* profile. I'm puzzled as why it worked, then stopped working.

[dharris]

what platform are you running? Im assuming it's Connectra on Secure Platform?

Plenty of ways to debug RADIUS packets. try tcpdump on the cmd line if using splat or using ethereal.

you can see which attribute is passed back to connectra from eg tcpdump

05:01:48.188642 connectra-test.32828 > dummy.com.radius: rad-access-req 67 [id 57] Attr[ User{tester@dummy.com} [|radius] (DF)

rad-access-accept 99 [id 57] Attr[ Class{Connectra_users} Framed_ipaddr{10.10.10.10} [|radius]

[phillyTD]

We're running a Unix platform. Unfortunately, I can't get the tcpdump to work. But while troubleshooting, I disabled all the rules, saved them, then tried logging in. I was authenticated by Radius, then it said I was allowed in via all seven (now 'disabled') rules.

What would cause the rule changes to basically be ignored. Could there be a problem between the smart Dashboard and the firewall? No changes seem to have worked. Short of deleting these rules and creating them, is there some way to get them to work the way they were originally?