Re: assign wireless users to VLANs on CISCO AP1230
These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID No. Read the 'dictionary.tunnel' file. VLAN is a name for the value 13 for the attribute Tunnel-Type. 802 is the name for the value 6 for the attribue Tunnel-Medium-Type. The Tunnel-Private-Group-Id attribute is of type string, so the value inside of it should be a string representation of the vlan-id. vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) It can still be sent as the string 10. You're right. I badly interpreted the word string But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher teacher? That's the SSID. Did the documentation not say to use the vlan-id, NOT the SSID? As I thougth that 10 could not be a string and I read that the attribute Tunnel-Private-Group-Id had to be a string, I tried with the SSID. It was my first try before I changed the dictionary...which I won't touch any more. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) that doesn't prove anything. 10 is a perfect string. You're right. I misunderstood the word string please always post the server debug output (radiusd -s -X) as requested here is the debug : [EMAIL PROTECTED] root]# radiusd -sfxxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/local/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = leap eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.XX.XX:1645, id=166, length=131 User-Name = jmguillemot Framed-MTU = 1400 Called-Station-Id = 0007. Calling-Station-Id = 000d.. Message-Authenticator = 0xe9c76e12cb5446ac2f6c7591d6b3c766 EAP-Message = 0x02020010016a6d6775696c6c656d6f74 NAS-Port-Type = Virtual NAS-Port = 334 NAS-IP-Address = 192.168.XX.XX NAS-Identifier = AP_1 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]:
Re: assign wireless users to VLANs on CISCO AP1230
# ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag I have no clue why you would change that. See: http://www.freeradius.org/rfc/attributes.html Click on the Tunnel-Private-Group-Id link, and read the text. Sorry if I wasn't clear enough. When I read the CISCO configuration guide, it says : These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) Don't play games with the dictionaries unless you know what you're doing. Change the entries back, and I'll bet it will work. unfortunately not. But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher ...without success. thanks anyway for the help. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assign wireless users to VLANs on CISCO AP1230
Hi everybody, I'm trying to assign wireless users to VLANs. Here is the configuration : - freeradius 0.9.1 on Red Hat 7.2 - Cisco AP1230 (IOS 12.2(11)JA1) with 2 vlans (10=SSID10 and 30=SSID30) - PCMCIA Card Aironet 350 With static mapping (SSID-VLAN) on the AP, authentication works fine. The problem starts when I try to assign VLAN. CISCO says : These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id 1 - to meet CISCO requirements, I modified the dictionnary.tunnel file like this : # VALUE Tunnel-Medium-Type IEEE-8026 VALUE Tunnel-Medium-Type 802 6 # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag 2 - My user is : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 10 Which corresponds to CISCO requirements 3 - When I ty to get access to VLAN 30, my Access-Accept answer is the following : modcall: group authenticate returns ok Sending Access-Accept of id 44 to 192.168.XX;XX:1645 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 10 Cisco-AVPair += leap:session-key=\305\225\334\314\007\2421\301\335\362V\240R\tUu\033\210 \317\306i\265`\335x\020l\006\313+R EAP-Message = 0x0205002b11010018e7b2116d7e8a7a6b15f4a394f1c5aac8b4000a83897eede76a6d677569 6c6c656d6f74 Message-Authenticator = 0x Finished request 26 Going to the next request Waking up in 6 seconds... but I'm authenticated in VLAN 30. I also tried to assign the NAME of the VLAN (with modification in dictionary.tunnel) but no success. Is it a mis-configuration ? a freeradius problem ? a cisco problem ?... Any suggestion would be really appreciated. thanks in advance Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html