A few things -- I do note the case doesn't match (-id vs -Id) in your original paste. Second, even though the value of 16 is not what you want, even if you get that fixed, note that it is not being copied to the outer reply (e.g. with use_tunelled_reply in peap, or maybe you are filtering it away in ./attrs.)
(Also note that once you get that working, it should work, but there are some Cisco devices that instead want Cisco-AVPair += "tunnel-private-group-id=XXX", though I have only seen this on wired switches not APs.) ________________________________ From: freeradius-users-bounces+bjulin=clarku....@lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku....@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Wednesday, January 04, 2012 1:37 PM To: FreeRadius users mailing list Subject: RE: Using FreeRadius to override VLAN Assignment Here is my radiusd -X it looks to me like the Access-Accept is not returning the vlan with it. # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "16" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xa15daac8db91138c9543ff1dd79193d8 MS-MPPE-Recv-Key = 0x5b23ada7251bf55e939f78211bc91ee9 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "jmcsparin" [peap] Got tunneled reply RADIUS code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "16" MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0xa15daac8db91138c9543ff1dd79193d8 MS-MPPE-Recv-Key = 0x5b23ada7251bf55e939f78211bc91ee9 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "jmcsparin" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 199 to 10.1.1.50 port 35858 EAP-Message = 0x010b002b19001703010020c4f38e69d73c88a387eba5b0923e812f7d609d6c9d329f90acd78fc19eb2381f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x11074b60180c524471e7db294b4fecfb Sending Access-Accept of id 200 to 10.1.1.50 port 35858 MS-MPPE-Recv-Key = 0x3d7918ad48100976d9f4db012a50f82b6dba74d3777f6bdca2648b0db3eb9650 MS-MPPE-Send-Key = 0xd4fcd3d81bc0e75431a4baa52fff9b7dce70f1cf1025fe2aac060f30f45b35bb EAP-Message = 0x030b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "jmcsparin" Finished request 49. Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org ________________________________ From: freeradius-users-bounces+jmcsparin=hillcountrymemorial....@lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial....@lists.freeradius.org] On Behalf Of Brian Julin Sent: Wednesday, January 04, 2012 10:49 AM To: FreeRadius users mailing list Subject: RE: Using FreeRadius to override VLAN Assignment The first order of business would be to freeradius in debug mode, or launch an eapol_test client against it, and look to see whether the attribute is being sent. If you do not know whether the attribute is being sent, you cannot determine whether it is the AP or the freeradius server that needs fixing. ________________________________ From: freeradius-users-bounces+bjulin=clarku....@lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku....@lists.freeradius.org] On Behalf Of McSparin, Joe Sent: Wednesday, January 04, 2012 11:00 AM To: FreeRadius users mailing list Subject: Using FreeRadius to override VLAN Assignment I have put the following into my users files DEFAULT Auth-Type = "ntlm_auth" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-id = "1001" I have told my access point to Allow RADIUS Override on the VLAN Assignment however the VLAN is not getting overridden. Does the Above entry into my users file not actually send back a vlan assignment and if not is there somewhere else this is supposed to be done? Joseph R. McSparin Network Administrator Hill Country Memorial Hospital 830 990 6638 phone 830 990 6623 fax jmcspa...@hillcountrymemorial.org ________________________________ This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. ________________________________ This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
