802.1x Authentication with Radius Filter-ID

[Innos]

Hey Guys,
i'm new here and desperate. maybe someone is able to help me out.
I am trying to configure 802.1x authentication with NPS as Radius Server. I'm using the filter-id attribute but its not working well. All clients end up in the alternate vlan. on the long run i want all devices to be authenticated by 802.1x. for now i'm just focusing on one client which should end up in vlan 58.

Hardware: Alcatel-Lucent Enterprise OS6560-P48X4 8.10.102.R01 GA

configuration:

AAA:
aaa radius-server "NPS1" host x.x.x.x hash-key "XXXXXX" retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default
aaa radius-server "NPS2" host x.x.x.x hash-key "XXXXXX" retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default
aaa radius-server "NPS3" host x.x.x.x hash-key "XXXXXX" retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default
aaa radius-server "NPS4" host x.x.x.x hash-key "XXXXXX" retransmit 3 timeout 2 auth-port 1812 acct-port 1813 vrf-name default

aaa profile "AAA_1"
aaa profile "AAA_1" device-authentication 802.1x "NPS1"
aaa profile "AAA_2"
aaa profile "AAA_2" device-authentication 802.1x "NPS2"
aaa profile "AAA_3"
aaa profile "AAA_3" device-authentication 802.1x "NPS3"
aaa profile "AAA_4"
aaa profile "AAA_4" device-authentication 802.1x "NPS4"

aaa device-authentication mac "NPS1" "NPS2" "NPS3" "NPS4"
aaa device-authentication 802.1x "NPS1" "NPS2" "NPS3" "NPS4"
aaa accounting 802.1x "NPS1" "NPS2" "NPS3" "NPS4"

aaa radius nas-ip-address local-ip 'IP-Adresse Switch'

unp profile "Client"
unp profile "Client" map vlan 58

unp profile "Voice"
unp profile "Voice" map vlan 68

unp profile "IoT"
unp profile "IoT" map vlan 62

unp profile "WLAN-AP"
unp profile "WLAN-AP" map vlan 70

unp profile "salto"
unp profile "salto" map vlan 1

unp profile "alternate"
unp profile "alternate" map vlan 71

unp port-template "TEMPL-1" aaa-profile "AAA_1" default-profile "alternate" 802.1x-authentication pass-alternate "alternate"

Port Konfig:
unp port 1/1/25 port-type bridge
unp port 1/1/25 port-template "TEMPL-1"
unp redirect port-bounce enable

This won't work. if i look it up it always says Server unreachable. I double checked the firewall and the shared secret.

show unp user details port 1/1/25
Port: 1/1/25
MAC-Address: 6c:02:e0:06:7a:fb
SAP = -,
Service ID = -,
VNID = -,
VPNID = -,
ISID = -,
VPLSID = -,
Access Timestamp = 05/19/2025 14:23:16,
User Name = host/LLA222.bruecknertt.local,
IP-Address = 192.168.71.13,
Vlan = 71,
Authentication Type = 802.1x,
Authentication Status = Failed,
Authentication Failure Reason = Reason - Server - Unreachable,
Authentication Retry Count = 0,
Authentication Server IP Used = -,
Authentication Server Used = -,
Server Reply-Message = -,
Profile = alternate,
Profile Source = Auth Fail - Default UNP,
Profile From Auth Server = -,
Session Timeout = -,
Classification Profile Rule = -,
Role = -,
Role Source = -,
User Role Rule = -,
Restricted Access = No,
Location Policy Status = -,
Time Policy Status = -,
QMR Status = Passed,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None,
Encap Value = -,
Rule ID = 1,

Total users : 1

This is what the nps is saying:

Der Netzwerkrichtlinienserver hat einem Benutzer den Zugriff verweigert.

Wenden Sie sich an den Administrator des Netzwerkrichtlinienservers, um weitere Informationen zu erhalten.

Benutzer:
Sicherheits-ID: NULL SID
Kontoname: alcatel
Kontodomäne: -
Vollqualifizierter Kontoname: -

Clientcomputer:
Sicherheits-ID: NULL SID
Kontoname: -
Vollqualifizierter Kontoname: -
ID der Empfangsstation: -
ID der Anrufstation: -

NAS:
NAS-IPv4-Adresse: -
NAS-IPv6-Adresse: -
NAS-ID: -
NAS-Porttyp: -
NAS-Port: -

RADIUS-Client:
Clientanzeigename: Switch1
Client-IP-Adresse: 192.168.x.x

Authentifizierungsdetails:
Name der Verbindungsanforderungsrichtlinie: -
Netzwerkrichtlinienname: -
Authentifizierungsanbieter: -
Authentifizierungsserver: lradius.bruecknertt.local
Authentifizierungstyp: -
EAP-Typ: -
Kontositzungs-ID: -
Protokollierungsergebnisse: Die Kontoinformationen wurden in die lokale Protokolldatei geschrieben.
Ursachencode: 49
Ursache: Die RADIUS-Anforderung stimmte mit keiner konfigurierten Verbindungsanforderungsrichtlinie (Connection Request Policy, CRP) überein.

Sorry for the german language. basically the switch is trying to authenticate itself instead of the client.
anyone who has an idea?

[Cristek]

I'd start with checking if the reason they end up in the alternate vlan is because of the default-profile "alternate" or because of 802.1x-authentication pass-alternate "alternate". If you remove the pass-alternate string, do they still end up in the alternate because of the default config? That will tell you where to focus your attention I guess.

You can also check if Radius is working as expected with:
aaa test-radius-server 'NPS1' type authentication user employee1 password abcd1234

[silvio]

Hi,
the test-command provided by cristek is a good start. But use it with "method pap" and allow PAP at your server.
Yesterday evening I have spoken with your partner about your case. But now in the post I see the reason:
Ursache: Die RADIUS-Anforderung stimmte mit keiner konfigurierten Verbindungsanforderungsrichtlinie (Connection Request Policy, CRP) überein.

Please try the following: create a new "Verbindungsanforderungsrichtlinie" with condition "NAS-Porttyp Ethernet". At settings (Einstellungen) - Authenfication -> on this server (first point). Now make sure that this policy is the first one (with order 1). Now all incoming request from ethernet devices (like your switch) should match and the server is looking for a "network policy" at the server.
Because no other policy is matching the point in the order should not be important. You can leave it at the bottom too.
BR Silvio

[Innos]

Hey Guys,

sorry for the delayed answer, i'm working on multiple projects at a time.

so i started by testing the command provided by cristek.

aaa test-radius-server "NPS1" type authentication user employee1 password abcd1234 method pap
Testing Radius Server <192.168.x.x/NPS1>
Please wait...
Reply from 192.168.x.x port 1812 req_num<0>: timeout
Reply from 192.168.x.x port 1812 req_num<1>: timeout
Reply from 192.168.x.x port 1812 req_num<2>: timeout

not sure what it was supposed to return but i guess since we don't have the user "employee1" it should return something like "Can't find the user"...

@silvio about your second solution: i did that already but it's not working:

verbindungsanforderungsrichtlinie1.png

verbindungsanforderungsrichtlinie2.png

verbindungsanforderungsrichtlinie3.png

Here is the configuration for our network policies:

Netzwerkrichtlinien1.png

Netzwerkrichtlinien2.png

netzwerkrichtlinien3.png

netzwerkrichtlinien4.png

Netzwerkrichtlinien5.png

the shared secret is guaranteed the right one for the switches and the radius client.
windows firewall is disabled.
firewall is not blocking any traffic.

the switch is practically doing what it is supposed to: if you can't authenticate yourself on the radius server the client gets guest vlan71.
i just don't get why it can't authenticate itself...
we are trying to authenticate with a certificate which all computers have which are part of the group "Radius-Access". The certificate is working definitely since we are already using it for Wi-Fi.

[silvio]

Hi, no time today for looking deeper.... but is it possible to make tomorrow a remote session with your partner ITR and me?
If yes, than please contact them for a date (at me all the day is possible).
BR Silvio

[Innos]

Hey,
i talked to our partner. The meeting will start tomorrow (28.05.) at 9 AM. Thank you very much silvio.
BR Enes

[silvio]

Hi Enes,
date is blocked for you.
BR Silvio