Guy Davies wrote:
2008/4/29 Arran Cudbard-Bell <[EMAIL PROTECTED]>:
Alan DeKok wrote:
Guy Davies wrote:
[..snip..]
You need to tell us which EAP method you plan to use. If you are
using local users, you can take your pick from EAP-TTLS/PAP or
PEAP/MS-CHAPv2. If you use the former, you can have the passwords
encrypted in the users file. If you use the latter, the passwords
must be in clear text.
Unless your using PEAP offload in which case you just need to list the
mschap module, and have the user password available in cleartext or as an nt
/ lm hash... but don't use PEAP offload. Terminate the EAP tunnel in FR, it
generally works better and is far simpler.
Agreed. PEAP offload was OK if you had a crappy backend RADIUS server
that didn't support EAP very well (or at all), but with a FR backend,
you're better off just passing your EAP straight through.
[..snip..]
Trapeze uses some VSAs to specify which VLAN a user should be
connected to, what time-of-day they can connect, etc.
Hmm, no. Trapeze use the standard VLAN assignment attributes just like any
other Vendor. You may be able to use the VSAs to do fancy stuff but :
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = <VID>
Then that's definitely changed since I used to use Trapeze when it was
first brought to market. I started with a pre-FCS version ;-) They
used to have VSAs for Trapeze-VLAN-Name that was quite nice if you
had different default VLAN numbers in different buildings in the
campus. You could name all the default VLANs the same but give the
VLANs different IDs in the different MXes. Using the
Tunnel-Private-Group-ID means you have to have a consistent VLAN ID
for a particular user group across a campus.
Yes, which is neat. They also support local VLAN switching on the higher
end units, not sure if that's new. I've put in a feature request for VTP
& GVRP, but I don't know if they'll be implemented.
Works just the same.
Just look in
dictionary.trapeze and you'll see the options. The Trapeze
documentation was always pretty good at explaining the purpose and
format of those VSAs. You *MUST* include a VLAN-Name VSA when
responding to a Trapeze unit or it won't connect you to the correct
VLAN.
I have a MXR-2 sitting on my desk that says otherwise. You can set a
default VLAN for each wireless service profile....
Doesn't that just pickup users that fail to attempt 802.1x
authentication? Again, it's been a while since I last used Trapeze
kit so things may have changed significantly since then.
The fall-through stuff doesn't work too well, and it's dealt with in a
different manor now as well; regarding VLANS You can set a default VLAN
for an SSID, and choose to override it with an assignment from the
server, or set a default VLAN and keep it no matter what the server
assignment.
Ah, yes. *That* vendor.
I happen to quite like that vendor and wish people would stop spreading
misinformation, especially if they haven't used the kit for a few years
*hmpf*.
I also very much liked that vendor and had no intention of spreading
misinformation. I very specifically stated that it had been a while
since I used the kit so that people would take my information in
context. I object to being accused of spreading misinformation
intentionally. I am not frequently active on this list but I do try
to give valid information. If it's wrong, then I'll hold my hand up
but berating people for trying will just make people stop giving
advice altogether.
Sorry, I tend to be more 'bitey' when sleepy/ just awaking from sleep. I
know you weren't intentionally spreading misinformation... it just
happens when you haven't used something in a number of years. It appears
there's a fair amount of 'voodoo' surrounding trapeze and external
RADIUS server configuration just trying to keep it to a minimum.
Arran
Guy
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
