Hello
I know it's more a Cisco issue, but maybe someone here had the same problem.
For Authentication, users use PEAP/MS-Chapv2, that is working fine.
For Authorization, I want to use per-user ACL, from user profiles from FreeRadius server with an MySQL backend.
As a test, I put some cisco-AVpair attribute in my user profile ("ip:inacl#1=deny ip any 10.88.88.150"). The Access-Accept packet looks correct. I tried some other Cisco AVPair attributes like ip:addr=... , others ACL..., but I can't make it work. My AccessPoint just does not care about its VSA. Does anyone see why ?
Below: - FR log - AP log - AP conf
Freeradius log:
Sending Access-Accept of id 54 to 10.88.88.1:21645
Framed-IP-Address = 255.255.255.254
Cisco-AVPair = "ip:inacl#1=deny ip any 10.88.88.150"
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Compression = None
Service-Type = Framed-User
MS-MPPE-Recv-Key = 0x85098227b29b979d69966940c5e9bdac5d41947907e977cdd6f
c2fd3f2f2afa2
MS-MPPE-Send-Key = 0x1b6b847254ac9389da683cd4e558390f962d95dae0db19a08ed
ec5e6fb0f0edd
EAP-Message = 0x030a0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "palpatine"
Finished request 77
AP log:
*Mar 1 00:06:37.924: RADIUS: Received from id 21645/54 10.88.88.150:1812, Access-Accept, len 244
*Mar 1 00:06:37.924: RADIUS: authenticator FC 9A E4 8B 24 C2 13 61 - B2 30 22 FA 22 8C C1 2D
*Mar 1 00:06:37.924: RADIUS: Framed-IP-Address [8] 6 255.255.255.255
*Mar 1 00:06:37.925: RADIUS: Vendor, Cisco [26] 43
*Mar 1 00:06:37.925: RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=deny ip any 10.88.88.150"
*Mar 1 00:06:37.925: RADIUS: Framed-Protocol [7] 6 PPP [1]
*Mar 1 00:06:37.925: RADIUS: Framed-MTU [12] 6 1500
*Mar 1 00:06:37.925: RADIUS: Framed-Compression [13] 6 None [0]
*Mar 1 00:06:37.926: RADIUS: Service-Type [6] 6 Framed [2]
*Mar 1 00:06:37.926: RADIUS: Vendor, Microsoft [26] 58
*Mar 1 00:06:37.926: RADIUS: MS-MPPE-Recv-Key [17] 52
*Mar 1 00:06:37.926: RADIUS: E5 79 9A 38 F2 9A A5 FB B3 53 35 4A 10 21 92 FC [?y?8?????S5J?!??]
*Mar 1 00:06:37.926: RADIUS: FF 7B 0A 0B AB FF 3F 02 2D 95 BB D5 52 88 45 D4 [?{??????-???R?E?]
*Mar 1 00:06:37.926: RADIUS: 83 85 A6 56 99 C7 1A AB 1F 97 52 9A 75 66 3E 55 [???V??????R?uf>U]
*Mar 1 00:06:37.927: RADIUS: 5E 4B [^K]
*Mar 1 00:06:37.927: RADIUS: Vendor, Microsoft [26] 58
*Mar 1 00:06:37.927: RADIUS: MS-MPPE-Send-Key [16] 52
*Mar 1 00:06:37.927: RADIUS: E9 2B 40 5C 14 A3 BE 0E F6 2A F1 D7 15 71 90 D7 [EMAIL PROTECTED]
*Mar 1 00:06:37.928: RADIUS: 32 DA 01 5C 9B F4 83 BC 31 9D 34 F6 A7 12 E7 BF [2??\????1?4?????]
*Mar 1 00:06:37.928: RADIUS: 8D D3 E5 4A 6A 9E 39 C3 F5 3A EC D6 37 D2 CF 56 [???Jj?9??:??7??V]
*Mar 1 00:06:37.928: RADIUS: B1 8A [??]
*Mar 1 00:06:37.928: RADIUS: EAP-Message [79] 6
*Mar 1 00:06:37.928: RADIUS: 03 0A 00 04 [????]
*Mar 1 00:06:37.928: RADIUS: Message-Authenticato[80] 18 *
*Mar 1 00:06:37.929: RADIUS: User-Name [1] 11 "palpatine"
*Mar 1 00:06:37.930: RADIUS(00000006): Received from id 21645/54
Access Point conf (I followed the Cisco docs)
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa authorization network default group radius
aaa accounting update periodic 2
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 aaa csid ietf
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption mode ciphers tkip
!
ssid morgane8021X
authentication open eap eap_methods
authentication key-management wpa
accounting acct_methods
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 2312
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 10.88.88.1 255.255.0.0
no ip route-cache
!
ip http server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/ivory/1100
ip radius source-interface BVI1
snmp-server view dot11view ieee802dot11 included
snmp-server community open RW
snmp-server community ieee view ieee802dot11 RW
snmp-server enable traps tty
radius-server host 10.88.88.150 auth-port 1812 acct-port 1813 key 7 094F5B0B10110201
radius-server attribute 8 include-in-access-req
radius-server attribute 32 include-in-access-req format %h
radius-server authorization permit missing Service-Type
radius-server authorization default Framed-Protocol ppp
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
wlccp wds aaa csid ietf
!
line con 0
line vty 5 15
!
end
Thanks
-- Mafioo
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
