Yeah, i'm not saying it's a problem with RADIUS.
I'm just asking trying to understand why it's happening and if there may
be any workaround for this.
Matthew, we have some remote places that we chose to authenticate
locally with Radius.
I'm guessing the configuration (radius-server vsa send) is need because
of this or am i wrong:
attr_rewrite getssid-bsn {
attribute = Called-Station-Id
searchin = packet
searchfor = ".................:BSN"
replacewith = "BSN"
ignore_case = yes
new_attribute = no
}
attr_rewrite getssid-COL {
attribute = Called-Station-Id
searchin = packet
searchfor = ".................:COL"
replacewith = "COL"
ignore_case = yes
new_attribute = no
}
attr_rewrite getssid-bsn-cisco {
attribute = Cisco-AVPair
searchin = packet
searchfor = "....=BSN"
replacewith = "BSN"
ignore_case = yes
new_attribute = no
}
attr_rewrite getssid-col-cisco {
attribute = Cisco-AVPair
searchin = packet
searchfor = "....=COL"
replacewith = "COL"
ignore_case = yes
new_attribute = no
}
We make this to identify the SSID which the user is trying to login to
make up the LDAP filter.
Can anyone explain if it's the reason why we need a VSA sent to the NAS
and if we're doing something wrong? Is there any other suggestion?
Sorry if i'm still asking something that may not be related to this forum.
Em 04/07/2013 09:29, Matthew Newton escreveu:
Hi,
This isn't a FreeRADIUS issue, and shouldn't really be on this
list.
However -
On Thu, Jul 04, 2013 at 09:12:40AM -0300, Gustavo Vieira Oliveira wrote:
We have a Cisco Wireless Controller 5508 with Aironet 1041 APs.
We have the same, authenticating against FreeRADIUS.
To make the AP authenticate with RADIUS we need to set the following
command manually in the AP:
- radius-server vsa send
That is odd, and I would guess that you have something not set up
correctly on the controller (I assume your APs are all lightweight
and correctly joined to the controller).
It all works fine here with no manual configuration of the APs at
all - they get all their config from the controller, as they
should do. The APs don't do any RADIUS themselves - it's all
handled from the controller. So I can't understand why they would
need to know anything about RADIUS attributes.
The thing is, the APs can only authenticate if this command is
issued in the AP by cli and we need that the Wireless Controller can
pass this configuration to the APs, which it doesn't support. So,
anyone know why is it necessary and if there is another alternative
or workaround to make it work without it?
I would check that your WLANs are correctly configured with the
RADIUS servers in the controller. You shouldn't need to configure
the APs like this.
You're better off asking on another mailing list, though.
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
