Re: assign wireless users to VLANs on CISCO AP1230
These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID No. Read the 'dictionary.tunnel' file. VLAN is a name for the value 13 for the attribute Tunnel-Type. 802 is the name for the value 6 for the attribue Tunnel-Medium-Type. The Tunnel-Private-Group-Id attribute is of type string, so the value inside of it should be a string representation of the vlan-id. vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) It can still be sent as the string 10. You're right. I badly interpreted the word string But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher teacher? That's the SSID. Did the documentation not say to use the vlan-id, NOT the SSID? As I thougth that 10 could not be a string and I read that the attribute Tunnel-Private-Group-Id had to be a string, I tried with the SSID. It was my first try before I changed the dictionary...which I won't touch any more. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
vlan-id is not a string, it's an integer for CISCO (for
instance, in my
WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id)
that doesn't prove anything. 10 is a perfect string.
You're right. I misunderstood the word string
please always post the server debug output (radiusd -s -X) as
requested
here is the debug :
[EMAIL PROTECTED] root]# radiusd -sfxxyz -l stdout
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = leap
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.XX.XX:1645, id=166,
length=131
User-Name = jmguillemot
Framed-MTU = 1400
Called-Station-Id = 0007.
Calling-Station-Id = 000d..
Message-Authenticator = 0xe9c76e12cb5446ac2f6c7591d6b3c766
EAP-Message = 0x02020010016a6d6775696c6c656d6f74
NAS-Port-Type = Virtual
NAS-Port = 334
NAS-IP-Address = 192.168.XX.XX
NAS-Identifier = AP_1
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]:
Re: assign wireless users to VLANs on CISCO AP1230
# ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag I have no clue why you would change that. See: http://www.freeradius.org/rfc/attributes.html Click on the Tunnel-Private-Group-Id link, and read the text. Sorry if I wasn't clear enough. When I read the CISCO configuration guide, it says : These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID vlan-id is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID teacher is mapped to VLAN 10 : 10 is the vlan-id) Don't play games with the dictionaries unless you know what you're doing. Change the entries back, and I'll bet it will work. unfortunately not. But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher ...without success. thanks anyway for the help. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assign wireless users to VLANs on CISCO AP1230
Hi everybody, I'm trying to assign wireless users to VLANs. Here is the configuration : - freeradius 0.9.1 on Red Hat 7.2 - Cisco AP1230 (IOS 12.2(11)JA1) with 2 vlans (10=SSID10 and 30=SSID30) - PCMCIA Card Aironet 350 With static mapping (SSID-VLAN) on the AP, authentication works fine. The problem starts when I try to assign VLAN. CISCO says : These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id 1 - to meet CISCO requirements, I modified the dictionnary.tunnel file like this : # VALUE Tunnel-Medium-Type IEEE-8026 VALUE Tunnel-Medium-Type 802 6 # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag 2 - My user is : jmguillemot Auth-Type := eap, User-Password == X Service-Type = Login-User, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 10 Which corresponds to CISCO requirements 3 - When I ty to get access to VLAN 30, my Access-Accept answer is the following : modcall: group authenticate returns ok Sending Access-Accept of id 44 to 192.168.XX;XX:1645 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 10 Cisco-AVPair += leap:session-key=\305\225\334\314\007\2421\301\335\362V\240R\tUu\033\210 \317\306i\265`\335x\020l\006\313+R EAP-Message = 0x0205002b11010018e7b2116d7e8a7a6b15f4a394f1c5aac8b4000a83897eede76a6d677569 6c6c656d6f74 Message-Authenticator = 0x Finished request 26 Going to the next request Waking up in 6 seconds... but I'm authenticated in VLAN 30. I also tried to assign the NAME of the VLAN (with modification in dictionary.tunnel) but no success. Is it a mis-configuration ? a freeradius problem ? a cisco problem ?... Any suggestion would be really appreciated. thanks in advance Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
