Good morning list,
I´ve been setting up a freeradius to operate in the eduroam environment.
At the moment my problem is the VLAN attribution that is done depending on the
Windows domain of the user, or if it is in roaming from another institution.
I´ve solved the VLAN based in the Windows domain, using in the
/etc/freeradius/users file the following directives.
DEFAULT Ldap-Group == "ISCTE"
Service-Type = "Framed-User",
Reply-Message = "Eduroam ISCTE",
Framed-MTU = 1300,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "211"
DEFAULT Ldap-Group == "Alunos"
Service-Type = "Framed-User",
Reply-Message = "Eduroam Alunos",
Framed-MTU = 1300,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "212"
As for the VLAN attribution wether the user is a roaming user (i.e. goes to a
proxy to be authenticated), I have done several tries, without sucess. Haven't
managed to do it through the users file above;my last attemp was trying to
setting them up in the /etc/freeradius/attrs file with attr_filter.post-proxy,
however it seems to interfere with the AEP/password negotiation. The setup is
as follows, and I would like to ask for an alternative of where to insert the
roaming VLAN.
post-proxy {
post_proxy_log
attr_filter.post-proxy # here <---------------------------
Post-Proxy-Type Fail {
detail
}
}
and then the attrs file:
DEFAULT
EAP-Message =* ANY,
User-NAme =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-MPPE-Recv-Key =* ANY,
Message-Authenticator =* ANY,
State =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
Service-Type := "Framed-User",
Reply-Message := "Eduroam Roaming",
Tunnel-Type := "VLAN",
Tunnel-Medium-Type := "IEEE-802",
Tunnel-Private-Group-Id := "216",
Framed-MTU := 1300,
Framed-Filter-ID =* ANY
Regards,
Rui Ribeiro
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
