NMAS Radius Profile Attributes not being returned

  • Document ID:3787521
  • Creation Date:31-May-2007
  • Modified Date:16-Mar-2012

Environment


Novell Modular Authentication Service (NMAS) RADIUS 4.14
Novell ConsoleOne 1.3.6

Situation

Added attributes via ConsoleOne to a new RADIUS:Dial Access Profile object, however, the attributes are not being returned.

In comparison, existing RADIUS:Dial Access Profile objects with attributes work properly.

Resolution

Correct the rights to the attributes by the following process :
  1. Using ConsoleOne, locate the working "RADIUS:Dial Access Profile" object, and identify the rights that have been given to the object. For example, the [PUBLIC] pseudo user typically has read rights to the "RADIUS:Attribute List".
  2. Locate the new "RADIUS:Dial Access Profile" object, and add similar rights to the new object.
  3. Run
    RADIUS REFRESHCACHE
    on the RADIUS server.
  4. Attempt the login.
Alternatively, the process to identify the missing attribute rights using the ConsoleOne NDS Import/Export wizard is as follows :
  1. In this method, start the NDS Import/Export Wizard.
  2. Select "Export" and click "Next".
  3. Specify port 636, and the BorderManager/RADIUS server's IP address.
  4. Choose "authenticated login" and use an admin account in LDAP syntax (e.g. "cn=admin,o=novell").
  5. Specify the password, and click "Next".
  6. Specify the DN for the functional "RADIUS:Dial Access Profile" object in LDAP syntax (e.g. "cn=DAP,o=novell").
  7. Click "Next".
  8. Specify the file to export to, and click "Next".
  9. Click "Finish".
  10. Repeat the process for the failing "RADIUS:Dial Access Profile" object.
  11. Compare the ACL: lines in each to see what is missing on the broken one.
  12. Add each trustee right that was missing.

Additional Information

In a RADDBG.LOG file, this issue is typically manifest by seeing :

PutAttributesInBuffer, calling FilterAttribute
Filter attribute, vendorID: 0, attribute: 7
PutAttributesInBuffer, calling FilterAttribute
Filter attribute, vendorID: 0, attribute: 15
PutAttributesInBuffer, calling FilterAttribute
Filter attribute, vendorID: 0, attribute: 10
PutAttributesInBuffer, calling FilterAttribute
Filter attribute, vendorID: 0, attribute: 6
->Sending Access-Accept (2) [(ip) 156.42.235.142(3813)] count=76
->Inserting into RespQ , code(2) id(20).
-------- END : (Access-Request (1)) [(ip) 156.42.235.142:3813]: time:1674199868---
While the failing "RADIUS:Dial Access Profile" object will not show any of the Filter: or PutAttributesInFilter lines.