Re: assign wireless users to VLANs on CISCO AP1230
> > "vlan-id" is not a string, it's an integer for CISCO (for
> instance, in my
> > WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id)
>
> that doesn't prove anything. "10" is a perfect string.
>
You're right. I misunderstood the word "string"
> please always post the server debug output (radiusd -s -X) as
> requested
here is the debug :
[EMAIL PROTECTED] root]# radiusd -sfxxyz -l stdout
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "leap"
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.XX.XX:1645, id=166,
length=131
User-Name = "jmguillemot"
Framed-MTU = 1400
Called-Station-Id = "0007."
Calling-Station-Id = "000d.."
Message-Authenticator = 0xe9c76e12cb5446ac2f6c7591d6b3c766
EAP-Message = 0x02020010016a6d6775696c6c656d6f74
NAS-Port-Type = Virtual
NAS-Port = 334
NAS-IP-Address = 192.168.XX.XX
NAS-Identifier = "AP_1"
modcall: ente
Re: assign wireless users to VLANs on CISCO AP1230
> > These are the RADIUS user attributes used for vlan-id > assignment. Each > > attribute must have a common Tag value to identify the > grouped relationship. > > > > IETF 64 (Tunnel Type): Set this attribute to VLAN > > IETF 65 (Tunnel Medium Type): Set this attribute to 802 > > IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id > > " > > > > I'm not perfectly bilingual, but I understand that my AP is > expecting the > > attributes VLAN, 802 and the VLAN-ID > > No. Read the 'dictionary.tunnel' file. "VLAN" is a name for the > value "13" for the attribute Tunnel-Type. "802" is the name for the > value "6" for the attribue Tunnel-Medium-Type. The > Tunnel-Private-Group-Id attribute is of type string, so the value > inside of it should be a string representation of the vlan-id. > > > "vlan-id" is not a string, it's an integer for CISCO (for > instance, in my > > WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) > > It can still be sent as the string "10". > You're right. I badly interpreted the word "string" > > But be sure that before bothering the mailing list, I tried > to make it work > > without making any change to the dictionaries : > > " > > jmguillemot Auth-Type := eap, User-Password == "X" > > Service-Type = Login-User, > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = teacher > > " > > "teacher"? That's the SSID. Did the documentation not say to use > the vlan-id, NOT the SSID? As I thougth that "10" could not be a string and I read that the attribute "Tunnel-Private-Group-Id" had to be a string, I tried with the SSID. It was my first try before I changed the dictionary...which I won't touch any more. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
hi These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id " I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID no, your AP wants the attributes Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID and the VALUEs should be as you say. there is no need to change the dictionaries for that. "vlan-id" is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) that doesn't prove anything. "10" is a perfect string. jmguillemot Auth-Type := eap, User-Password == "X" Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher " ...without success. please always post the server debug output (radiusd -s -X) as requested by the FAQ. btw.: auth-type shouldn't be explicitly set to eap ... ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
Jean-Marie GUILLEMOT <[EMAIL PROTECTED]> wrote: > These are the RADIUS user attributes used for vlan-id assignment. Each > attribute must have a common Tag value to identify the grouped relationship. > > IETF 64 (Tunnel Type): Set this attribute to VLAN > IETF 65 (Tunnel Medium Type): Set this attribute to 802 > IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id > " > > I'm not perfectly bilingual, but I understand that my AP is expecting the > attributes VLAN, 802 and the VLAN-ID No. Read the 'dictionary.tunnel' file. "VLAN" is a name for the value "13" for the attribute Tunnel-Type. "802" is the name for the value "6" for the attribue Tunnel-Medium-Type. The Tunnel-Private-Group-Id attribute is of type string, so the value inside of it should be a string representation of the vlan-id. > "vlan-id" is not a string, it's an integer for CISCO (for instance, in my > WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) It can still be sent as the string "10". > But be sure that before bothering the mailing list, I tried to make it work > without making any change to the dictionaries : > " > jmguillemot Auth-Type := eap, User-Password == "X" > Service-Type = Login-User, > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = teacher > " "teacher"? That's the SSID. Did the documentation not say to use the vlan-id, NOT the SSID? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
> > # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag > > ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag > > I have no clue why you would change that. See: > > http://www.freeradius.org/rfc/attributes.html > > Click on the "Tunnel-Private-Group-Id" link, and read the text. > Sorry if I wasn't clear enough. When I read the CISCO configuration guide, it says : " These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id " I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID "vlan-id" is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) > Don't play games with the dictionaries unless you know what you're > doing. Change the entries back, and I'll bet it will work. unfortunately not. But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : " jmguillemot Auth-Type := eap, User-Password == "X" Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher " ...without success. thanks anyway for the help. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
Jean-Marie GUILLEMOT <[EMAIL PROTECTED]> wrote: > 1 - to meet CISCO requirements, I modified the dictionnary.tunnel file like > this : Which was absolutely wrong. The Cisco requirements did NOT say to edit the dictionaries. > # VALUE Tunnel-Medium-Type IEEE-8026 > VALUE Tunnel-Medium-Type 802 6 Please read the RADIUS book, the RFC's, and the 'man' page for the 'dictionary' file. The names in the dictionary are irrelevant, as they are used ONLY in the configuration files on the server. Further, by changing the name from "IEEE-802" to "802", you guarantee that the value "6" will NEVER be sent to the NAS when you type the name "802" into the configuration files on the server. > # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag > ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag I have no clue why you would change that. See: http://www.freeradius.org/rfc/attributes.html Click on the "Tunnel-Private-Group-Id" link, and read the text. > 2 - My user is : > " > jmguillemot Auth-Type := eap, User-Password == "X" > Service-Type = Login-User, > Tunnel-Type = 13, > Tunnel-Medium-Type = 6, If you changed the name from "IEEE-802" to "802", then why the *heck* would you use "6" as the value here? You seem to be interested in doing extra work for no point. > Is it a mis-configuration ? a freeradius problem ? a cisco problem ?... User -> keyboard problem. Don't play games with the dictionaries unless you know what you're doing. Change the entries back, and I'll bet it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assign wireless users to VLANs on CISCO AP1230
Hi everybody, I'm trying to assign wireless users to VLANs. Here is the configuration : - freeradius 0.9.1 on Red Hat 7.2 - Cisco AP1230 (IOS 12.2(11)JA1) with 2 vlans (10=SSID10 and 30=SSID30) - PCMCIA Card Aironet 350 With static mapping (SSID-VLAN) on the AP, authentication works fine. The problem starts when I try to assign VLAN. CISCO says : " These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id " 1 - to meet CISCO requirements, I modified the dictionnary.tunnel file like this : " # VALUE Tunnel-Medium-Type IEEE-8026 VALUE Tunnel-Medium-Type 802 6 # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag " 2 - My user is : " jmguillemot Auth-Type := eap, User-Password == "X" Service-Type = Login-User, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 10 " Which corresponds to CISCO requirements 3 - When I ty to get access to VLAN 30, my Access-Accept answer is the following : " modcall: group authenticate returns ok Sending Access-Accept of id 44 to 192.168.XX;XX:1645 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 10 Cisco-AVPair += "leap:session-key=\305\225\334\314\007\242>1\301\335<\362V\240"R\tUu\033\210 \317\306i\265`\335x\020l\006\313+R" EAP-Message = 0x0205002b11010018e7b2116d7e8a7a6b15f4a394f1c5aac8b4000a83897eede76a6d677569 6c6c656d6f74 Message-Authenticator = 0x Finished request 26 Going to the next request Waking up in 6 seconds... " but I'm authenticated in VLAN 30. I also tried to assign the NAME of the VLAN (with modification in dictionary.tunnel) but no success. Is it a mis-configuration ? a freeradius problem ? a cisco problem ?... Any suggestion would be really appreciated. thanks in advance Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
