Re: assign wireless users to VLANs on CISCO AP1230
> > "vlan-id" is not a string, it's an integer for CISCO (for > instance, in my > > WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) > > that doesn't prove anything. "10" is a perfect string. > You're right. I misunderstood the word "string" > please always post the server debug output (radiusd -s -X) as > requested here is the debug : [EMAIL PROTECTED] root]# radiusd -sfxxyz -l stdout Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "leap" eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 192.168.XX.XX:1645, id=166, length=131 User-Name = "jmguillemot" Framed-MTU = 1400 Called-Station-Id = "0007." Calling-Station-Id = "000d.." Message-Authenticator = 0xe9c76e12cb5446ac2f6c7591d6b3c766 EAP-Message = 0x02020010016a6d6775696c6c656d6f74 NAS-Port-Type = Virtual NAS-Port = 334 NAS-IP-Address = 192.168.XX.XX NAS-Identifier = "AP_1" modcall: ente
Re: assign wireless users to VLANs on CISCO AP1230
> > These are the RADIUS user attributes used for vlan-id > assignment. Each > > attribute must have a common Tag value to identify the > grouped relationship. > > > > IETF 64 (Tunnel Type): Set this attribute to VLAN > > IETF 65 (Tunnel Medium Type): Set this attribute to 802 > > IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id > > " > > > > I'm not perfectly bilingual, but I understand that my AP is > expecting the > > attributes VLAN, 802 and the VLAN-ID > > No. Read the 'dictionary.tunnel' file. "VLAN" is a name for the > value "13" for the attribute Tunnel-Type. "802" is the name for the > value "6" for the attribue Tunnel-Medium-Type. The > Tunnel-Private-Group-Id attribute is of type string, so the value > inside of it should be a string representation of the vlan-id. > > > "vlan-id" is not a string, it's an integer for CISCO (for > instance, in my > > WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) > > It can still be sent as the string "10". > You're right. I badly interpreted the word "string" > > But be sure that before bothering the mailing list, I tried > to make it work > > without making any change to the dictionaries : > > " > > jmguillemot Auth-Type := eap, User-Password == "X" > > Service-Type = Login-User, > > Tunnel-Type = VLAN, > > Tunnel-Medium-Type = IEEE-802, > > Tunnel-Private-Group-Id = teacher > > " > > "teacher"? That's the SSID. Did the documentation not say to use > the vlan-id, NOT the SSID? As I thougth that "10" could not be a string and I read that the attribute "Tunnel-Private-Group-Id" had to be a string, I tried with the SSID. It was my first try before I changed the dictionary...which I won't touch any more. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
hi These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id " I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID no, your AP wants the attributes Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID and the VALUEs should be as you say. there is no need to change the dictionaries for that. "vlan-id" is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) that doesn't prove anything. "10" is a perfect string. jmguillemot Auth-Type := eap, User-Password == "X" Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher " ...without success. please always post the server debug output (radiusd -s -X) as requested by the FAQ. btw.: auth-type shouldn't be explicitly set to eap ... ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
Jean-Marie GUILLEMOT <[EMAIL PROTECTED]> wrote: > These are the RADIUS user attributes used for vlan-id assignment. Each > attribute must have a common Tag value to identify the grouped relationship. > > IETF 64 (Tunnel Type): Set this attribute to VLAN > IETF 65 (Tunnel Medium Type): Set this attribute to 802 > IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id > " > > I'm not perfectly bilingual, but I understand that my AP is expecting the > attributes VLAN, 802 and the VLAN-ID No. Read the 'dictionary.tunnel' file. "VLAN" is a name for the value "13" for the attribute Tunnel-Type. "802" is the name for the value "6" for the attribue Tunnel-Medium-Type. The Tunnel-Private-Group-Id attribute is of type string, so the value inside of it should be a string representation of the vlan-id. > "vlan-id" is not a string, it's an integer for CISCO (for instance, in my > WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) It can still be sent as the string "10". > But be sure that before bothering the mailing list, I tried to make it work > without making any change to the dictionaries : > " > jmguillemot Auth-Type := eap, User-Password == "X" > Service-Type = Login-User, > Tunnel-Type = VLAN, > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = teacher > " "teacher"? That's the SSID. Did the documentation not say to use the vlan-id, NOT the SSID? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
> > # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag > > ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag > > I have no clue why you would change that. See: > > http://www.freeradius.org/rfc/attributes.html > > Click on the "Tunnel-Private-Group-Id" link, and read the text. > Sorry if I wasn't clear enough. When I read the CISCO configuration guide, it says : " These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id " I'm not perfectly bilingual, but I understand that my AP is expecting the attributes VLAN, 802 and the VLAN-ID "vlan-id" is not a string, it's an integer for CISCO (for instance, in my WLAN the SSID "teacher" is mapped to VLAN 10 : 10 is the vlan-id) > Don't play games with the dictionaries unless you know what you're > doing. Change the entries back, and I'll bet it will work. unfortunately not. But be sure that before bothering the mailing list, I tried to make it work without making any change to the dictionaries : " jmguillemot Auth-Type := eap, User-Password == "X" Service-Type = Login-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = teacher " ...without success. thanks anyway for the help. Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assign wireless users to VLANs on CISCO AP1230
Jean-Marie GUILLEMOT <[EMAIL PROTECTED]> wrote: > 1 - to meet CISCO requirements, I modified the dictionnary.tunnel file like > this : Which was absolutely wrong. The Cisco requirements did NOT say to edit the dictionaries. > # VALUE Tunnel-Medium-Type IEEE-8026 > VALUE Tunnel-Medium-Type 802 6 Please read the RADIUS book, the RFC's, and the 'man' page for the 'dictionary' file. The names in the dictionary are irrelevant, as they are used ONLY in the configuration files on the server. Further, by changing the name from "IEEE-802" to "802", you guarantee that the value "6" will NEVER be sent to the NAS when you type the name "802" into the configuration files on the server. > # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag > ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag I have no clue why you would change that. See: http://www.freeradius.org/rfc/attributes.html Click on the "Tunnel-Private-Group-Id" link, and read the text. > 2 - My user is : > " > jmguillemot Auth-Type := eap, User-Password == "X" > Service-Type = Login-User, > Tunnel-Type = 13, > Tunnel-Medium-Type = 6, If you changed the name from "IEEE-802" to "802", then why the *heck* would you use "6" as the value here? You seem to be interested in doing extra work for no point. > Is it a mis-configuration ? a freeradius problem ? a cisco problem ?... User -> keyboard problem. Don't play games with the dictionaries unless you know what you're doing. Change the entries back, and I'll bet it will work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assign wireless users to VLANs on CISCO AP1230
Hi everybody, I'm trying to assign wireless users to VLANs. Here is the configuration : - freeradius 0.9.1 on Red Hat 7.2 - Cisco AP1230 (IOS 12.2(11)JA1) with 2 vlans (10=SSID10 and 30=SSID30) - PCMCIA Card Aironet 350 With static mapping (SSID-VLAN) on the AP, authentication works fine. The problem starts when I try to assign VLAN. CISCO says : " These are the RADIUS user attributes used for vlan-id assignment. Each attribute must have a common Tag value to identify the grouped relationship. IETF 64 (Tunnel Type): Set this attribute to VLAN IETF 65 (Tunnel Medium Type): Set this attribute to 802 IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id " 1 - to meet CISCO requirements, I modified the dictionnary.tunnel file like this : " # VALUE Tunnel-Medium-Type IEEE-8026 VALUE Tunnel-Medium-Type 802 6 # ATTRIBUTE Tunnel-Private-Group-Id 81 string has_tag ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag " 2 - My user is : " jmguillemot Auth-Type := eap, User-Password == "X" Service-Type = Login-User, Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 10 " Which corresponds to CISCO requirements 3 - When I ty to get access to VLAN 30, my Access-Accept answer is the following : " modcall: group authenticate returns ok Sending Access-Accept of id 44 to 192.168.XX;XX:1645 Service-Type = Login-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 10 Cisco-AVPair += "leap:session-key=\305\225\334\314\007\242>1\301\335<\362V\240"R\tUu\033\210 \317\306i\265`\335x\020l\006\313+R" EAP-Message = 0x0205002b11010018e7b2116d7e8a7a6b15f4a394f1c5aac8b4000a83897eede76a6d677569 6c6c656d6f74 Message-Authenticator = 0x Finished request 26 Going to the next request Waking up in 6 seconds... " but I'm authenticated in VLAN 30. I also tried to assign the NAME of the VLAN (with modification in dictionary.tunnel) but no success. Is it a mis-configuration ? a freeradius problem ? a cisco problem ?... Any suggestion would be really appreciated. thanks in advance Jean-Marie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html