Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... Add DEFAULT Auth-Type := Reject to the bottom of your authorized_macs file. You might as well move the mac address check up above eap in the authorize section. There's no point going through all the eap processing if you're just going to reject afterwards based on something that could easily have been done first. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... DEFAULT Auth-Type := Reject I misread (and replied before I'd seen the other thread from your duplicate message...) - to set the vlan for any users that *don't* match other entries, then add this at the bottom: DEFAULT Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 999 To Reject, you can do it in authorize. To set the VLAN, as Alan said, post-auth is the better place. Use := to force the values to be set. = will not change the values if already set by the inner tunnel, etc. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) That's good. So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. They key thing to remember is that they are two independent pieces. Get them working independently. Then, put the pieces together. I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi Alan and thanks for the reply. On 12 October 2013 13:42, Alan DeKok al...@deployingradius.com wrote: So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. Get them working independently. Then, put the pieces together. I managed to get them to work independently, it's the putting together phase that I can't quite crack... :) I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. If I put the MAC check in the authorize section, then I can allow users to use only the devices in the authorized_macs file (unless I am missing something). I would like the users to use any device, but just have a limited access to the network if the device isn't listed in the authorized_macs file... For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Can you point me to some part of the docs that explain what is different, please? Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. What I am trying to achieve is the following: 1. Authenticate the users through LDAP 2. IF the user is using a device listed in the authorized_macs file, then assign a VLAN which depends on the user's LDAP group. 3. IF the user is using another (their own), allow them to access an isolated VLAN, which doesn't allow the device to talk to our servers. This will allow my colleagues to connect to the Internet with their devices, but not to mess around with our servers in case there is malware installed on them. Does this make sense? The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. SO SORRY! I pasted twice the sites-available/default file! It comes from the post-auth section in the inner-tunnel file. In inner-tunnel, I check if the user belongs to the dept_tech_corporate_it group, and if so, I update the outher request by assigning a VLAN with ID 40. This part of the config works properly, as showed by the following few lines of debug output: rlm_ldap::ldap_groupcmp: User found in group cn=dept_tech_corporate_it,ou= Groups,c=gb,dc=mindcandy,dc=com [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == cn=dept_tech_corporate_it,ou=Groups,c=gb,dc=mindcandy,dc=com) - TRUE Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. That seems to be an approach similar to the one I am trying to use. I would like to do the check of the MAC address for last, so that I can associate the right VLAN to the user. But for some reason this check doesn't seem to work. I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. If I could get any pointers towards a working solution, I'd be really grateful. Thanks, Fabrizio - List info/subscribe
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? In post-auth. If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; The default configuration for the inner-tunnel does *not* set a VLAN in post-auth. So one configuration you added prevents you from using another configuration you added. and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. Delete the set VLAN stuff from the post-auth of the inner tunnel. As you've seen, it breaks the other configuration you're trying to use. When you put authorized_macs into the post-auth, it runs the post-auth processing. Which doesn't read the users file... as the users file is done only in the authorize section. You should be able to put authorized_macs.authorize in the post-auth section. That will make it process the users file, and do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi everyone. First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) In my Company, I'd like to setup a freeradius based wifi authentication following the same principle: First check if a user is using the Company's laptop (or phone) by checking a list of MAC addresses. If the device is in the list, let the user authenticate through LDAP and get a VLAN depending on the user's group; if it's not present, authenticate the user against ldap, but assign the user to a public VLAN, which cannot reach our internal servers. This is basically to take care of users who connect to our network with their own devices, on which we don't have control and that could spread all sorts of malware in the internal network. So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Here are the relevant config files: Radius version: 2.1.10+dfsg-2+squeeze1 (running on Debian) --- policy.conf policy { forbid_eap { if (EAP-Message) { reject } } permit_only_eap { if (!EAP-Message) { if (!%{outer.request:EAP-Message}) { reject } } } deny_realms { if (User-Name =~ /@|\\/) { reject } } do_not_respond { update control { Response-Packet-Type := Do-Not-Respond } handled } cui_authorize { update request { Chargeable-User-Identity:='\\000' } } cui_postauth { if (FreeRadius-Proxied-To == 127.0.0.1) { if (outer.request:Chargeable-User-Identity) { update outer.reply { Chargeable-User-Identity:=%{md5:%{config:cui_hash_key}%{User-Name}} } } } else { if (Chargeable-User-Identity) { update reply { Chargeable-User-Identity=%{md5:%{config:cui_hash_key}%{User-Name}} } } } } cui_updatedb { if (reply:Chargeable-User-Identity) { cui } } cui_accounting { if (!Chargeable-User-Identity) { update control { Chargable-User-Identity := %{cui: SELECT cui FROM cui WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid = '%{Calling-Station-Id}' AND username = '%{User-Name}'} } } if (Chargeable-User-Identity (Chargeable-User-Identity != )) { cui } } rewrite_calling_station_id { if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6} } } else { noop } } } --- modules/files: files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } files second_files { usersfile = ${confdir}/second_users acctusersfile = ${confdir}/second_acct_users preproxy_usersfile = ${confdir}/second_preproxy_users } files authorized_macs { key = %{tolower:%{Calling-Station-ID}} usersfile = ${confdir}/authorized_macs compat = no } ---authorized_macs e8-99-c4-a2-39-36 Reply-Message = Device with MAC Address %{Calling-Station-Id} authorized for network access --- sites-available/default authorize { preprocess auth_log suffix eap { ok = return } expiration logintime pap } authenticate { Auth-Type PAP { pap } eap } preacct { preprocess acct_unique suffix } accounting { sql { fail = 1 } } session { radutmp sql { fail = 1 } } post-auth { rewrite_calling_station_id authorized_macs if (!ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 36 } } sql { fail = 1 } exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } --- sites-available/inner-tunnel authorize { preprocess auth_log suffix eap { ok = return
Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi everyone. First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) In my Company, I'd like to setup a freeradius based wifi authentication following the same principle: First check if a user is using the Company's laptop (or phone) by checking a list of MAC addresses. If the device is in the list, let the user authenticate through LDAP and get a VLAN depending on the user's group; if it's not present, authenticate the user against ldap, but assign the user to a public VLAN, which cannot reach our internal servers. This is basically to take care of users who connect to our network with their own devices, on which we don't have control and that could spread all sorts of malware in the internal network. So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Here are the relevant config files: Radius version: 2.1.10+dfsg-2+squeeze1 (running on Debian) --- policy.conf (...) rewrite_calling_station_id { if (Calling-Station-Id =~ /([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ update request { Calling-Station-Id := %{1}-%{2}-%{3}-%{4}-%{5}-%{6} } } else { noop } } } --- modules/files: (...) files authorized_macs { key = %{tolower:%{Calling-Station-ID}} usersfile = ${confdir}/authorized_macs compat = no } ---authorized_macs e8-99-c4-a2-39-36 Reply-Message = Device with MAC Address %{Calling-Station-Id} authorized for network access --- sites-available/default authorize { preprocess auth_log suffix eap { ok = return } expiration logintime pap } authenticate { Auth-Type PAP { pap } eap } preacct { preprocess acct_unique suffix } accounting { sql { fail = 1 } } session { radutmp sql { fail = 1 } } post-auth { rewrite_calling_station_id authorized_macs if (!ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 36 } } sql { fail = 1 } exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } --- sites-available/inner-tunnel authorize { preprocess auth_log suffix eap { ok = return } expiration logintime pap } authenticate { Auth-Type PAP { pap } eap } preacct { preprocess acct_unique suffix } accounting { sql { fail = 1 } } session { radutmp sql { fail = 1 } } post-auth { rewrite_calling_station_id authorized_macs if (!ok) { update reply { Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = 36 } } sql { fail = 1 } exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } And here is an authentication example, with a device not listed in authorized_macs: (...) rad_recv: Access-Request packet from host 192.168.59.202 port 32769, id=129, length=345 User-Name = fabrizio.vecchi Calling-Station-Id = 60-fa-cd-47-1a-44 Called-Station-Id = 24-01-c7-28-aa-d0:MindCandyAuth NAS-Port = 1 Cisco-AVPair = audit-session-id=ca3ba8c000dede1c5852 NAS-IP-Address = 192.168.59.202 NAS-Identifier = Cisco_6e:1f:4f Airespace-Wlan-Id = 5 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 36 EAP-Message = 0x0206005f1580005517030100506509e5008fb8b33c992bdddc007472c4f5d210aa8d535f747241bc99c4cb8785066c7ef4f262c470986626e1d31efc71f0d3b42b80663afc9fdc68715d1ee49c02af509c6b12de0bca5bf5501cba State = 0xf1f3e6cbf5f5f3adc22ef694ca5dfcba Message-Authenticator = 0xeff670953d883040f13b8dfc42d39849 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail
Wifi APs Models compatible with by username dynamic vlan assignment
Hello, I want to perform dynamic VLAN assignment by username through wifi access. I set up this configuration few time ago but didn't works. I want to know which WiFi APs are compatible and/or what is the term to search for in devices specifications ... Regards, -- Matthew Pideil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi APs Models compatible with by username dynamic vlan assignment
On 3 Oct 2013, at 10:57, matthew pideil matthew.pid...@teledetection.fr wrote: Hello, I want to perform dynamic VLAN assignment by username through wifi access. I set up this configuration few time ago but didn't works. I want to know which WiFi APs are compatible and/or what is the term to search for in devices specifications ... Look for claimed compliance with RFC3580/RFC4675 in the specifications of your Access-Point. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Fri, Jul 19, 2013 at 06:03:31PM +0200, Dario Palmisano wrote: RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs. So it seems not to be related to the IOS version, is it? Is there any way to overcome this somehow, if not... Do you actually need multiple bssids? mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic vlan assignment
Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. I will appreciate any suggestion you would like to provide Thanks and regards Dario P.S.: I know the request is quite generic, but I am ready to provide radius log, or configuration files. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. there are hundreds of sites using this sort of configuration for eduroam - so its perfectly possible and fine (and standard!) so you're going wrong somewhere. so, thats the piece of mind part. where has it gone wrong? well, firstly, is there DHCP etc on the VLAN this client is being dropped onto? have you tested the network? what happens if the AP only handles that VLAN? is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. are you returning ALL the VLAN attributes needed to assign VLAN on the AP? not JUST the VLAN number..name ah yes, are you sending NAME or VLAN int he VLAN tag? are you sending the replys from the tunnel = check eap.conf settings! debug output helps a lot so yes, send it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en Thanks for your quick answer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
You are right, I know! On Friday 19 July 2013 15:52:43 a.l.m.bu...@lboro.ac.uk wrote: Hi, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. there are hundreds of sites using this sort of configuration for eduroam - so its perfectly possible and fine (and standard!) so you're going wrong somewhere. so, thats the piece of mind part. where has it gone wrong? well, firstly, is there DHCP etc on the VLAN this client is being dropped onto? have you tested the network? what happens if the AP only handles that VLAN? The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 In this case the user is placed in the vlan 220 (the statically configured in the accesspoint). is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1) I will try to verify what you say on the cisco site. My accesspoints are End Of Life, I do not know if any new IOS version has been developed to eventually correct the problem you say. are you returning ALL the VLAN attributes needed to assign VLAN on the AP? not JUST the VLAN number..name ah yes, are you sending NAME or VLAN int he VLAN tag? number are you sending the replys from the tunnel = check eap.conf settings! eap.conf (in peap stanza) says: copy_request_to_tunnel = yes use_tunneled_reply = yes debug output helps a lot so yes, send it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your directions (many) Dario - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On 19 Jul 2013, at 15:10, Dario Palmisano dario.palmis...@icgeb.org wrote: On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en For everyone following along at home: Sending Access-Accept of id 189 to 172.16.254.45 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 220 User-Name = palmi MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 EAP-Message = 0x030a0004 Message-Authenticator = 0x Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? Some also require you to send back 'Service-Type = Framed-User'. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 218 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en please dont ask me to visit random web sites that require to to click on things etc. just email the output to this list. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Friday 19 July 2013 16:29:57 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 15:10, Dario Palmisano dario.palmis...@icgeb.org wrote: On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p hp?lang=en For everyone following along at home: Sending Access-Accept of id 189 to 172.16.254.45 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 220 User-Name = palmi MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 EAP-Message = 0x030a0004 Message-Authenticator = 0x Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? Some also require you to send back 'Service-Type = Framed-User'. Yes vlan 220 is assigned (statically) to XXX-WPA SSID. If file users contains: palmi Huntgroup-Name == WIFI, Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 and I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it does not work. If I connect to SSID XXX-ER (assigned in accesspoint to vlan 218) it works. If file users contains: palmi Huntgroup-Name == WIFI, Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 220 if I connect to SSID XXX-ER (assigned in accesspoint to vlan 218), it does not work, if I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it works. Modifying users file as suggested: palmi Huntgroup-Name == WIFI, Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Service-Type := Framed-User, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-ID := 220 did not change the result. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Friday 19 July 2013 16:54:13 a.l.m.bu...@lboro.ac.uk wrote: Hi, The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 218 Same result, do not get the ip, it is isolated. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote: is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running If you have mbssid configured on the AP then user cannot be switched to a different vlan than the one bound to the ssid this user is connected to. Can you actually check if/how the users is associated on the AP? show dot11 associations shows the associated clients and show dot11 associations mac address shows the specific client detail information including the vlan. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
At the end, thanks to the list suggestions I found in the cisco docs the sentence: Keep these guidelines in mind when configuring multiple BSSIDs: RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs. So it seems not to be related to the IOS version, is it? Is there any way to overcome this somehow, if not... Thanks everybody for the kind cooperation Best regards Dario On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote: is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running If you have mbssid configured on the AP then user cannot be switched to a different vlan than the one bound to the ssid this user is connected to. I have such configuration! Can you Can you actually check if/how the users is associated on the AP? show dot11 associations shows the associated clients and show dot11 associations mac address shows the specific client detail information including the vlan. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Dario Palmisano ICGEB Computer System Network Administrator Tel: +39 040 3757330 Fax: +39 040 226555 E-Mail: dario.palmis...@icgeb.org International Centre for Genetic Engineering and Biotechnology Area Science Park, Padriciano 99, I-34149 Trieste, ITALY __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
I'm sure there was some late in the day ios updates for 1130 series AP this stuff works with capwap/lwapp 1131 anyway, if MBSSID is not supported with dynamic vlan assignment so don't use mbssid, use guest mode instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys I had to also set the *use_tunneled_reply=yes* in the eap.conf to get the Dynamic vlan assignment to work On 12 July 2013 19:42, val john valjohn1...@gmail.com wrote: Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell a.cudba...@freeradius.orgwrote: On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic vlan assignment with ldap groups
Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Please advice Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory + LDAP + groups for dynamic VLAN assignment
Am Mittwoch, 9. Januar 2013, 16:51:22 schrieb Matthew Ceroni: Hi: I am using FreeRadius version 2.1.12 on CentOS6. I am authenticating against Active Directory (that works). And authorizing against LDAP (that works as well). I am trying to return attributes, used for VLAN assignment, based on the usersDN. In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the following # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap if (control:Ldap-UserDn =~ /OU=QA/) { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 7 } } elsif (control:Ldap-UserDn =~ /OU=IT/) { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 2 } } else { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 21 } } In the authorize section. That works, when authorize is done it queries LDAP successfully. Looking through the radius debug I see the IF statements processing: rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0, length=122 User-Name = mceroni NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020c016d6365726f6e69 Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = mceroni, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = mceroni, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for mceroni [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - mceroni [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) - (samAccountName=mceroni) [ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local - ou=Clairmail OU,dc=clairmail,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to cmad01.clairmail.local:389, authentication 0 [ldap] bind as svnadmin@clairmail.local/iBis93sLit+ to cmad01.clairmail.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with filter (samAccountName=mceroni) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user mceroni authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (control:Ldap-UserDn =~ /OU=QA/) ? Evaluating (control:Ldap-UserDn =~ /OU=QA/) - FALSE ++? if (control:Ldap-UserDn =~ /OU=QA/) - FALSE ++? elsif (control:Ldap-UserDn =~ /OU=IT/) ? Evaluating (control:Ldap-UserDn =~ /OU=IT/) - TRUE ++? elsif (control:Ldap-UserDn =~ /OU=IT/) - TRUE ++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...} +++[reply] returns ok And it appears to set the attributes: +[pap] returns noop ++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) expand: %{request:User-Name} - mceroni ? Evaluating (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) - FALSE ++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) - FALSE Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 48400 Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = 2 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x2a1689d42a17904c9b87561fac99b7b3 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from
Active Directory + LDAP + groups for dynamic VLAN assignment
Hi: I am using FreeRadius version 2.1.12 on CentOS6. I am authenticating against Active Directory (that works). And authorizing against LDAP (that works as well). I am trying to return attributes, used for VLAN assignment, based on the usersDN. In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the following # # The ldap module will set Auth-Type to LDAP if it has not # already been set ldap if (control:Ldap-UserDn =~ /OU=QA/) { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 7 } } elsif (control:Ldap-UserDn =~ /OU=IT/) { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 2 } } else { update reply { Tunnel-Type:1 := 13 Tunnel-Medium-Type:1 := 6 Tunnel-Private-Group-Id:1 := 21 } } In the authorize section. That works, when authorize is done it queries LDAP successfully. Looking through the radius debug I see the IF statements processing: rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0, length=122 User-Name = mceroni NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020c016d6365726f6e69 Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = mceroni, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = mceroni, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for mceroni [ldap] expand: %{Stripped-User-Name} - [ldap] ... expanding second conditional [ldap] expand: %{User-Name} - mceroni [ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) - (samAccountName=mceroni) [ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local - ou=Clairmail OU,dc=clairmail,dc=local [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to cmad01.clairmail.local:389, authentication 0 [ldap] bind as svnadmin@clairmail.local/iBis93sLit+ to cmad01.clairmail.local:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with filter (samAccountName=mceroni) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user mceroni authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++? if (control:Ldap-UserDn =~ /OU=QA/) ? Evaluating (control:Ldap-UserDn =~ /OU=QA/) - FALSE ++? if (control:Ldap-UserDn =~ /OU=QA/) - FALSE ++? elsif (control:Ldap-UserDn =~ /OU=IT/) ? Evaluating (control:Ldap-UserDn =~ /OU=IT/) - TRUE ++? elsif (control:Ldap-UserDn =~ /OU=IT/) - TRUE ++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...} +++[reply] returns ok And it appears to set the attributes: +[pap] returns noop ++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) expand: %{request:User-Name} - mceroni ? Evaluating (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) - FALSE ++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) - FALSE Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 48400 Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = 2 EAP-Message = 0x010100061920 Message-Authenticator = 0x State = 0x2a1689d42a17904c9b87561fac99b7b3 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1, length=250 User-Name = mceroni NAS-IP-Address = 127.0.0.1 Calling-Station-Id = 02-00-00-00-00-01 Framed-MTU = 1400
LDAP Groups and Dynamic VLAN assignment
hi guys, i want to assing VLAN based on groups entry and users on LDAP server. Actually my schema is divided in this way: ou=groups -- cn=admin-vlan (with radiusProfile and items to set VLAN ID) -- cn=dev-vlan ou=people -- cn=testusers (that is a uniqueMember of admin-vlan) the only configuration that works is: ldap conf: ldap server1 { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = x.x.x.x identity = cn=Administrator,dc=mydomain,dc=com password = passs basedn = dc=mydomain,dc=com filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}}) groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) } users file: DEFAULT Ldap-Group == admin-vlan Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 10 DEFAULT Ldap-Group == dev-vlan Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 9 DEFAULT LDAP-Group != admin-vlan, Auth-Type := Reject DEFAULT LDAP-Group != dev-vlan, Auth-Type := Reject there is a possibility to get Tunnel-Private-Group-ID and others from the LDAP groups and not users file? i've read many times docs/rlm_ldap but cant get out of this problem :( Is it possible to do this configuration in conjunction with redundant ldap configuration?? thanks! -- View this message in context: http://freeradius.1045715.n5.nabble.com/LDAP-Groups-and-Dynamic-VLAN-assignment-tp4639157p4639157.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and Dynamic VLAN assignment
stich86 stic...@gmail.com wrote: there is a possibility to get Tunnel-Private-Group-ID and others from the LDAP groups and not users file? i've read many times docs/rlm_ldap but cant get out of this problem :( Next time, try the freeradius-users@ archive too (true of *any* mailing list)? Is it possible to do this configuration in conjunction with redundant ldap configuration?? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg71133.html Cheers -- Alexander Clouter .sigmonster says: Is there life before breakfast? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote: Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html First things first, did you get it all working? If not, start there. When I say 'lower the load', all it does is reduce the number of EAP packets from about 12 to 4 that are needed for a session resumption; but also means you only need two LDAP lookups rather that 12. So your AD load will go from 0.01 to 0.01 or something. I am bigging up the numbers more than it is worth (although the latency bit is possibly handy for roaming devices). I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in auth virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base ou=people,dc=foo,dc=edu with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding The eDir bit's are probably not needed as you are using mschap with those 'ntPassword' attributes. eDir has 'universal password' which is a sales monkey's way of saying the password is available in plaintext if required. Sounds like to me you do not currently have FreeRADIUS setup working the way you want it to? I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Looks like 'employeeStatus' should go in as part of your user filter, but to do the others I would need to generalise my Perl module. Easily done, but I'm not going to do it before I know actually have it already working. :) /me pats sigmonster and gives it a cookie Cheers -- Alexander Clouter .sigmonster says: Success is a journey, not a destination. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
I believe I resolved this. I used eapol_test to get all wanted result, and will try on real NAS later on. The following is what I did. Basically I followed Alexander's example, Modified peap section in eap.conf to use another virtual server auth instead of inner-tunnel virtual server. I almost blindly copied Alexander's example in auth server except I removed the reject for the realm checks. The ldap cache pm is not needed in my case since I do not query windows AD via LDAP to get their attributes. If I want to do ldap after ntlm against AD, then Alexander's pm might be needed. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( %{User-Name} =~ /@/ %{reply:My-Local-employeeStatus} ) { update reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( %{User-Name} !~ /@/ ) { update reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling On Tue, Jan 25, 2011 at 4:23 AM, Alexander Clouter a...@digriz.org.uk wrote: schilling schilling2...@gmail.com wrote: Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html First things first, did you get it all working? If not, start there. When I say 'lower the load', all it does is reduce the number of EAP packets from about 12 to 4 that are needed for a session resumption; but also means you only need two LDAP lookups rather that 12. So your AD load will go from 0.01 to 0.01 or something. I am bigging up the numbers more than it is worth (although the latency bit is possibly handy for roaming devices). I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in auth virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base ou=people,dc=foo,dc=edu with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding The eDir bit's are probably not needed as you are using mschap with those 'ntPassword' attributes. eDir has 'universal password' which is a sales monkey's way of saying the password is available in plaintext if required. Sounds like to me you do not currently have FreeRADIUS setup working the way you want it to? I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Looks like
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi Alexander, I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed [suffix] Looking up realm foo.edu for User-Name = sd...@foo.edu^M [suffix] Found realm foo.edu^M [suffix] Adding Stripped-User-Name = sding^M [suffix] Adding Realm = foo.edu^M [suffix] Authentication realm is LOCAL.^M ++[suffix] returns ok^M ++? if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} )^M ?? Evaluating (outer.request:EAP-Message) - TRUE^M expand: local.MY.realm - local.MY.realm^M WARNING: No such configuration item local.MY.realm^M expand: %{config:local.MY.realm} - ^M ? Evaluating (Realm != %{config:local.MY.realm} ) - TRUE^M ++? if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} ) - TRUE^M ++- entering if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} ) {...}^M expand: Realm is '%{Realm}' on Inside - Realm is 'foo.edu' on Inside^M +++[outer.reply] returns ok^M +++[reject] returns reject^M ++- if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} ) returns reject^M } # server auth^M Thanks, Schilling On Fri, Jan 21, 2011 at 3:49 AM, Alexander Clouter a...@digriz.org.uk wrote: schilling schilling2...@gmail.com wrote: Where should I put the perl script? I already have a perl module for another virtual server to use radscript. I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } I cannot recommend more *not* to do your authorisation in the inner tunnel, and instead to pass it back on out. There are a number of reasons, clarity including, but especially you then can make use of the reject path... Incase it helps, this is what we (a small-medium university in the UK) do. In our eap block we set (we use TTLS, however it should be the same for PEAP): eap { ... ttls { ... copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = auth } ... } Then we have a 'auth' virtual server: server auth { authorize { if ((outer.request:EAP-Message)) { update outer.request { User-Name := %{request:User-Name} } update reply { User-Name := %{request:User-Name} } } validate_username suffix if ((outer.request:EAP-Message) Realm != %{config:local.MY.realm}) { update outer.reply { Reply-Message := Realm is '%{Realm}' on Inside } reject } # if the password is passed to us use it, otherwise yank it from LDAP if ((outer.request:Cleartext-Password)) { update control { Cleartext-Password := %{outer.request:Cleartext-Password} } } else { ldap-login # some accounts are glitched and do not have a UP :( if (ok !(control:Cleartext-Password)) { update outer.reply { Reply-Message := No eDirectory UP } reject } } pap chap mschap update reply { Auth-Type := %{control:Auth-Type} } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MSCHAP { mschap } } } We are 'blessed' with Novhell, so 'ldap-login' populated Cleartext-Password from eDirectory if present, your approach would be different (the interesting bit is if you set 'request:Cleartext-Password' in your outer layer before calling 'eap', which is a handy hook for a NAGIOS RADIUS hook (letting you test authentication with eapol_test[1] and remove the AD component from the equation. Once the 'auth' virtual server finishes, you will find in the outer layer for *successful* authentications,
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
On 01/24/2011 08:35 PM, schilling wrote: Hi Alexander, I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed FreeRadius lets you write *any* config hierarchy object, and re-use it elsewhere; in radiusd.conf (or maybe an include) put: local { MY { realm = x.x } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote: I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed Phil pretty much covered it (and in a neater manner I was not aware could be used, but it is obvious now seeing it...), I put all the 'local site' specific details into a single configuration file (including SQL/LDAP binding credentials) so that if I want to give someone a copy of my config, ll I have to really do is trim the 'local' file and know I have not leaked anything important. For example, just after '$INCLUDE clients.conf' in the main radiusd.conf file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file is: local.MY.hostname = iodine.it.soas.ac.uk local.MY.addr.v6= 2001:630:1b:6004:168c:9d91:127f:bb0c local.MY.addr.v4= 212.219.138.70 local.MY.realm = soas.ac.uk local.addr.v6 = 2001:630:1b:1001:624a::15bb local.addr.v4 = 193.63.73.37 local.test.username = test-username local.test.password = [ahem] local.ldap.server.1 = ldap1.soas.ac.uk local.ldap.server.2 = ldap2.soas.ac.uk local.ldap.username = cn=cheese,ou=is,o=tasty local.ldap.password = NOM local.sql.server= sql.soas.ac.uk local.sql.username = radius-username local.sql.password = oh-so-very-secret local.cert.password = omg-do-not-tell-anyones [snipped] $INCLUDE ${confdir}/LOCAL/templates.conf $INCLUDE ${confdir}/LOCAL/policy.conf $INCLUDE ${confdir}/LOCAL/proxy.conf $INCLUDE ${confdir}/LOCAL/clients/ Cheers -- Alexander Clouter .sigmonster says: Riches cover a multitude of woes. -- Menander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in auth virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base ou=people,dc=foo,dc=edu with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Thanks, Schilling On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter a...@digriz.org.uk wrote: schilling schilling2...@gmail.com wrote: I am trying to play with your configuration, basically I have a virtual server call auth as your example, and modified my eap.conf for peap to use auth. what's the config:local.MY.realm? My debug showed Phil pretty much covered it (and in a neater manner I was not aware could be used, but it is obvious now seeing it...), I put all the 'local site' specific details into a single configuration file (including SQL/LDAP binding credentials) so that if I want to give someone a copy of my config, ll I have to really do is trim the 'local' file and know I have not leaked anything important. For example, just after '$INCLUDE clients.conf' in the main radiusd.conf file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file is: local.MY.hostname = iodine.it.soas.ac.uk local.MY.addr.v6 = 2001:630:1b:6004:168c:9d91:127f:bb0c local.MY.addr.v4 = 212.219.138.70 local.MY.realm = soas.ac.uk local.addr.v6 = 2001:630:1b:1001:624a::15bb local.addr.v4 = 193.63.73.37 local.test.username = test-username local.test.password = [ahem] local.ldap.server.1 = ldap1.soas.ac.uk local.ldap.server.2 = ldap2.soas.ac.uk local.ldap.username = cn=cheese,ou=is,o=tasty local.ldap.password = NOM local.sql.server = sql.soas.ac.uk local.sql.username = radius-username local.sql.password = oh-so-very-secret local.cert.password = omg-do-not-tell-anyones [snipped] $INCLUDE ${confdir}/LOCAL/templates.conf $INCLUDE ${confdir}/LOCAL/policy.conf $INCLUDE ${confdir}/LOCAL/proxy.conf $INCLUDE ${confdir}/LOCAL/clients/ Cheers -- Alexander Clouter .sigmonster says: Riches cover a multitude of woes. -- Menander - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
I have the following questions for using perl though. Since I already use LDAP or ntlm_auth for inner-tunnel mschapv0 authentication. Will there any flag set so I can know whether LDAP or ntlm_auth is using for mschapv0 authentication in perl script? Also if if I need to check ldap/AD for certain attributes in perl script, Do I need to make another call to them via LDAP in the perl module? Where should I put the perl script in? Many Thanks, Schilling On Thu, Jan 20, 2011 at 2:15 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: Basically, I want to achieve If (ldap authorization) { if (ldap.employeeStatus = facstaff) { REPLY{'Service-Type'} = Framed-User; REPLY{'Tunnel-Type'} = VLAN; REPLY{'Tunnel-Medium-Type'} = IEEE-802; REPLY{'Tunnel-Private-Group-Id'} = facstaff; } else { # no ldap.employeeStatus attribute or ldap.employeeStatus You can put pretty much that into a Perl script, or into unlang. What's the easiest way to accomplish this? unlang? perl module? Where to start? I'd write a Perl script first. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote: Where should I put the perl script? I already have a perl module for another virtual server to use radscript. I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } I cannot recommend more *not* to do your authorisation in the inner tunnel, and instead to pass it back on out. There are a number of reasons, clarity including, but especially you then can make use of the reject path... Incase it helps, this is what we (a small-medium university in the UK) do. In our eap block we set (we use TTLS, however it should be the same for PEAP): eap { ... ttls { ... copy_request_to_tunnel = no use_tunneled_reply = yes virtual_server = auth } ... } Then we have a 'auth' virtual server: server auth { authorize { if ((outer.request:EAP-Message)) { update outer.request { User-Name := %{request:User-Name} } update reply { User-Name := %{request:User-Name} } } validate_username suffix if ((outer.request:EAP-Message) Realm != %{config:local.MY.realm}) { update outer.reply { Reply-Message := Realm is '%{Realm}' on Inside } reject } # if the password is passed to us use it, otherwise yank it from LDAP if ((outer.request:Cleartext-Password)) { update control { Cleartext-Password := %{outer.request:Cleartext-Password} } } else { ldap-login # some accounts are glitched and do not have a UP :( if (ok !(control:Cleartext-Password)) { update outer.reply { Reply-Message := No eDirectory UP } reject } } pap chap mschap update reply { Auth-Type := %{control:Auth-Type} } } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MSCHAP { mschap } } } We are 'blessed' with Novhell, so 'ldap-login' populated Cleartext-Password from eDirectory if present, your approach would be different (the interesting bit is if you set 'request:Cleartext-Password' in your outer layer before calling 'eap', which is a handy hook for a NAGIOS RADIUS hook (letting you test authentication with eapol_test[1] and remove the AD component from the equation. Once the 'auth' virtual server finishes, you will find in the outer layer for *successful* authentications, 'reply:User-Name' is the inner username whilst for *failure* authentications you want to use 'request:User-Name'. I did map something to fooEmployeeStatus in ldap.attrmaps Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors parsing post-auth section. How can I reference User-Name in post-auth section of inner-tunnel? In your outer post-auth section then I would recommend the following unlang (prime the defaults, and use the attributes to fixup what you want the final result to be): post-auth { ... # defaults update reply { Tunnel-Type := VLAN Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := unauthorised Termination-Action := RADIUS-Request # Cisco only support a max of 65535 Session-Timeout := 64800 Acct-Interim-Interval := 3600 } if ( User-Name =~ /@/ (fooEmployeeStatus) ) { update reply { Tunnel-Private-Group-Id := facstaff } } ... } If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the
dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi All, The group helped me configure the freeradius server to do mschapv2 against ldap w/ ntPassword if user sign on with usern...@foo.edu, and to do mschapv2 against AD w/ ntlm if user just sign on with username. Now I want to go one more step further - passing on some attributes back to NAS. Basically, I want to achieve If (ldap authorization) { if (ldap.employeeStatus = facstaff) { REPLY{'Service-Type'}= Framed-User; REPLY{'Tunnel-Type'} = VLAN; REPLY{'Tunnel-Medium-Type'} = IEEE-802; REPLY{'Tunnel-Private-Group-Id'} = facstaff; } else { # no ldap.employeeStatus attribute or ldap.employeeStatus != facstaff REPLY{'Service-Type'}= Framed-User; REPLY{'Tunnel-Type'} = VLAN; REPLY{'Tunnel-Medium-Type'} = IEEE-802; REPLY{'Tunnel-Private-Group-Id'} = student; } }else { # ntlm authentication REPLY{'Service-Type'}= Framed-User; REPLY{'Tunnel-Type'} = VLAN; REPLY{'Tunnel-Medium-Type'} = IEEE-802; REPLY{'Tunnel-Private-Group-Id'} = facstaff; } What's the easiest way to accomplish this? unlang? perl module? Where to start? Thanks, Schilling fromschilling schilling2...@gmail.com to FreeRadius users mailing list freeradius-users@lists.freeradius.org dateTue, Dec 14, 2010 at 3:14 PM subject Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth, the other one against ldap ntpasswd hash possible? mailed-by gmail.com Got the whole setup working. So basically if users sign on with usern...@foo.edu with eap, they will be sent to ldap w/ ntpassword authorization. If users sign on with username only with eap, they will be sent to active directory w/ ntlm authentication. configuration changes are the following: etc/raddb/proxy.conf add realm foo.edu { } realm NULL { } /etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add switch %{Realm} { case foo.edu { ldap #see /etc/raddb/module/mschap if ntpassword available, then do not use #NTLM_auth update control { MS-CHAP-Use-NTLM-Auth := NO } case NULL { mschap } } etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate with Active Directory howto. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling wrote: Basically, I want to achieve If (ldap authorization) { if (ldap.employeeStatus = facstaff) { REPLY{'Service-Type'}= Framed-User; REPLY{'Tunnel-Type'} = VLAN; REPLY{'Tunnel-Medium-Type'} = IEEE-802; REPLY{'Tunnel-Private-Group-Id'} = facstaff; } else { # no ldap.employeeStatus attribute or ldap.employeeStatus You can put pretty much that into a Perl script, or into unlang. What's the easiest way to accomplish this? unlang? perl module? Where to start? I'd write a Perl script first. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Where should I put the perl script? I already have a perl module for another virtual server to use radscript. I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } I did map something to fooEmployeeStatus in ldap.attrmaps Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) /home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors parsing post-auth section. How can I reference User-Name in post-auth section of inner-tunnel? Thanks, Schilling On Thu, Jan 20, 2011 at 2:15 PM, Alan DeKok al...@deployingradius.com wrote: schilling wrote: Basically, I want to achieve If (ldap authorization) { if (ldap.employeeStatus = facstaff) { REPLY{'Service-Type'} = Framed-User; REPLY{'Tunnel-Type'} = VLAN; REPLY{'Tunnel-Medium-Type'} = IEEE-802; REPLY{'Tunnel-Private-Group-Id'} = facstaff; } else { # no ldap.employeeStatus attribute or ldap.employeeStatus You can put pretty much that into a Perl script, or into unlang. What's the easiest way to accomplish this? unlang? perl module? Where to start? I'd write a Perl script first. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi, Where should I put the perl script? I already have a perl module for another virtual server to use radscript. I also tried unlang in post-auth, like if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) { update outer.reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) { encase in quotesdont have bare as per debug error alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment on NAS
Hi the list I'm sure this is NAS question, not Freeradius' question. But perhaps somebody on the list had experienced this issue. Here is my problem. I setup : - A Freeradius configuration EAP/PEAP with user credentials stored in LDAP directory. - A NAS zcomax ag3621 wireless access point with VLAN 802.1q support. on this access point, i have one SSID associated by default with guest VLAN 30. meaning if a user failed authentication, he will still connected but on this VLAN with reduced privileges. However radius return the following Access-accept packet to my NAS, Sending Access-Accept of id 81 to 192.168.32.88 port 1032 Tunnel-Private-Group-Id:0 = 60 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN User-Name = user1 The access point just put user1 on VLAN 30. My NAS ignore the VLAN ID 60 (Tunnel-Private-Group-Id:0 = 60) contained in the Access-Accept. I try with two different models of Access point (zcomax and cisco) My question: Is there a particular config to do to ask the NAS to consider the VLAN ID contained in the Access-Accept packet ? Thanks for your answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment on NAS
Attou eric wrote: The access point just put user1 on VLAN 30. My NAS ignore the VLAN ID 60 (Tunnel-Private-Group-Id:0 = 60) Then the NAS is broken. contained in the Access-Accept. I try with two different models of Access point (zcomax and cisco) My question: Is there a particular config to do to ask the NAS to consider the VLAN ID contained in the Access-Accept packet ? See the NAS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN Assignment based on a certificate, not a user.
Hello! Some time ago Alan mentioned that the new 2.1.10 version will support such a thing. However, I can't seem to find it in the docs. Can anyone shed some light on how that can be done with the new functionality? - Вижте последните новини във Vesti.bg! http://www.vesti.bg/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN Assignment based on a certificate, not a user.
Бисер Миланов wrote: Hello! Some time ago Alan mentioned that the new 2.1.10 version will support such a thing. However, I can't seem to find it in the docs. Can anyone shed some light on how that can be done with the new functionality? Read the ChangeLog. There are new attributes which contain information from the certificate. Use those as part of a policy to determine VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0 [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to ldapdev.int-evry.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword - NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword - LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation - User-Category = employee Two issues; first, as above you're adding the User-Category item from LDAP into the reply list, but the files syntax doesn't (can't) match items in the reply this. This: DEFAULT User-Category == employee means match all request with the attribute User-Category == employee in the *request* items Secondly, I think you're running LDAP after files, so even if it could match, it would not. Try something like this in sites-available/inner-tunnel: authorize { ... ldap if (reply:User-Category == employee) { update reply { Tunnel-Private-Group-Id := 1234 } } elsif (reply:User-Category == ...) { } } Or, modify your ldap.attrmap to put the User-Category into the request items (assuming your NAS doesn't need it) then move the files module after the ldap one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
thanks for your replay here what i did in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Private-Group-Id = 902 DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Private-Group-Id = 903 in the inner-tunnel file i have authorize { chap mschap uni suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } i got the following logs [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [ldap] performing user authorization for doutrele [ldap] expand: %{Stripped-User-Name} - doutrele [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) - (uid=doutrele) [ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] eduPersonPrimaryAffiliation - User-Category == employee [ldap] sambaNtPassword - NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword - LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... WARNING: No known good password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user doutrele authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok [files] users: Matched entry DEFAULT at line 166 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok .. THe line 166 in my users file is these ones DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes and i don't match the following entries DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Private-Group-Id = 903 and i really don't know why Le 16/09/2010 09:44, Phil Mayers a écrit : [ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0 [ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to ldapdev.int-evry.fr:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele) [ldap] looking for check items in directory... [ldap] sambaNtPassword - NT-Password == 0x3846343134354531463530334232353337443430363846343942363633434143 [ldap] sambaLmPassword - LM-Password == 0x4434413632394242394536303843323438423045413541374446313335423033 [ldap] looking for reply items in directory... [ldap] eduPersonPrimaryAffiliation - User-Category = employee Two issues; first, as above you're adding the User-Category item from LDAP into the reply list, but the files syntax doesn't (can't) match items in the reply this. This: DEFAULT User-Category == employee means match all request with the attribute User-Category == employee in the *request* items Secondly, I think you're running LDAP after files, so even if it could match, it would not. Try something like this in sites-available/inner-tunnel: authorize { ... ldap if (reply:User-Category == employee) { update reply { Tunnel-Private-Group-Id := 1234 } } elsif (reply:User-Category == ...) { } } Or, modify your ldap.attrmap to put the User-Category into the request items (assuming your NAS doesn't need it) then move the files module after the ldap one. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Hi alexander Le 16/09/2010 00:31, Alexander Clouter a écrit : Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*. Cheers Well I understand what you mean but i have some difficulties to traduce that in my configuration file. Yes i m have in my inner-tunnel file the lines authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } but how can i call it outside? i m a bit lost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
well i though i have found the answer i m not sure if it s the right way to do in the section of peap of the eap file i had use_tunneled_reply = yes Le 16/09/2010 13:22, Eric Doutreleau a écrit : Hi alexander Le 16/09/2010 00:31, Alexander Clouter a écrit : Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*. Cheers Well I understand what you mean but i have some difficulties to traduce that in my configuration file. Yes i m have in my inner-tunnel file the lines authorize { chap mschap unix suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } ldap files expiration logintime pap } but how can i call it outside? i m a bit lost - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
On 16/09/10 10:16, Eric Doutreleau wrote: thanks for your replay here what i did in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation checkItem means put the attribute into the check/config items list. Looking at the source code, I see that rlm_ldap can't update the request item list. in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Private-Group-Id = 902 This means match User-Category in the request items list, which is not the list you've put it in. files syntax cannot do comparisons against check/config or reply items, and LDAP can only put items into check/config or reply. You will therefore have to use an unlang syntax as per my previous email: authorize { ... ldap if (control:User-Category == ...) { ... } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Le 16/09/2010 15:34, Phil Mayers a écrit : On 16/09/10 10:16, Eric Doutreleau wrote: thanks for your replay here what i did in the ldap.attrmap i put checkItem User-Category eduPersonPrimaryAffiliation checkItem means put the attribute into the check/config items list. Looking at the source code, I see that rlm_ldap can't update the request item list. in the user file i did DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, Fall-Through = Yes DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Private-Group-Id = 902 This means match User-Category in the request items list, which is not the list you've put it in. files syntax cannot do comparisons against check/config or reply items, and LDAP can only put items into check/config or reply. You will therefore have to use an unlang syntax as per my previous email: authorize { ... ldap if (control:User-Category == ...) { ... } } - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks Phil that s what i will do - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Hi, vlan assignment based on vlan. here what i have in my users file DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 902, Fall-Through = No DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 903, Fall-Through = No your example was employee, which is the second on this list. just a hunch but I think you need to have Fall-Through = Yes for DEFAULT entries to fall through to other DEFAULT options. the doc: # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Eric Doutreleau eric.doutrel...@it-sudparis.eu wrote: i m using freeradius 2.1.9 and i have some problems with making dynamic vlan assignment based on vlan. here what i have in my users file DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 902, Fall-Through = No DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 903, Fall-Through = No Eugh, do not do this, use the following sort of thing instead: DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, 'unauthorised' Fall-Through = Yes DEFAULT User-Category == student Tunnel-Private-Group-Id = 902 'student' DEFAULT User-Category == employee Tunnel-Private-Group-Id = 903 'employee' But as you can see in the following debug file my user is authenticated his radius item User-Category is employee but he never get the attributes of vlan in the request Looks like you need to flip the order of 'files' and 'eap' around as it is your eap (from the PEAP method) module that sets 'User-Category' however you are calling 'files' *before* User-Category is set. Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*. Cheers -- Alexander Clouter .sigmonster says: Preserve Wildlife! Throw a party today! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
Thank you very much for your help! Now it works beautifully! My next step is to integrate FreeRadius with my Windows domain to use Windows AD for authentication. I am sure I will more questions for you guys! http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
Hey Ivan, Thank you very much for your help! Now it works beautifully! My next step is to integrate FreeRadius with my Windows domain to use Windows AD for authentication. I am sure I will more questions for you guys! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of t...@kalik.net Sent: Thursday, December 17, 2009 6:53 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!! I have figured out how to configure attributes. Here is my user file: test Cleartext-Password := test Tunnel-Type = 16777229, Tunnel-Medium-Type = 16777222, Tunnel-Private-Group-ID = 3 When I use MD5-Challenge, I got put in the right vlan I wanted. However if I choose PEAP, I can be authenticated but the vlan thing won't work. I checked the Radius -X output very carefully and I don't see the server is sending any attributes, as it did when the MD5 is used... I chose different types of authentication on the windows box. It seems I don't have to change any configuration on the radius server for both authentications to work. I will attach both radius -X output for both types. You have those attributes in the tunneled reply. You should enable use_tunnled_reply in peap section of eap.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
I have figured out how to configure attributes. Here is my user file: test Cleartext-Password := test Tunnel-Type = 16777229, Tunnel-Medium-Type = 16777222, Tunnel-Private-Group-ID = 3 When I use MD5-Challenge, I got put in the right vlan I wanted. However if I choose PEAP, I can be authenticated but the vlan thing won't work. I checked the Radius -X output very carefully and I don't see the server is sending any attributes, as it did when the MD5 is used... I chose different types of authentication on the windows box. It seems I don't have to change any configuration on the radius server for both authentications to work. I will attach both radius -X output for both types. You have those attributes in the tunneled reply. You should enable use_tunnled_reply in peap section of eap.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unreliable Dynamic VLAN Assignment?
Hi, We're having a bit of a problem with FreeRADIUS not always including VLAN information in access-accept packets; I've not been able as yet to establish what the cause is so I thought I'd throw it out to the list if there's something others have come across. Needless to say our testing through the summer had not highlighted this issue, but now we have 3000 students trying to connect it's become apparent. A bit of info, we're seeing this issue in both FR 2.1.1 and 2.1.7, and our NASes are Cisco WiSM. Users' VLAN info is stored in the SQL usergroup table. I have an sql.athorize statement in the Post-Auth section of both the default (outer), and inner-tunnel conf files. Initially I thought it was only clients with an anonymised outer identity that were having this issue, which seemed plausible as the sql.athourize in default would see the outer and fail to find it in sql (though wouldn't explain why it works sometimes); but it appears not to just these users, as we're now seeing users who are not using anon outers having the same issue. Another thought was that fast-reauth could be the issue, in that somehow a fast-reauth request was not doing a Post-Auth sql.authorize and therefore not sending back the VLAN info? I fully expect it's a config issue, but any insight would be gratefully received. Currently I do not have CCKM enabled on the controllers, but for some time I have been considering enabling this to take some load off RADIUS, and also wondered if it would help this current problem. Is there anything to be wary of with CCKM? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
The full log may be viewed at: http://dpaste.com/112610/ Also, I have posted my eap.conf here: http://dpaste.com/112615/ and radius.conf here: http://dpaste.com/112616/ and I don't think anyone would need it, but here is clients.conf as well: http://dpaste.com/112618/ You have posted everything apart from the most important thing - radiusd -X debug. I can see those tunnel attributes on Cisco debug but not in the Access-Accept packet (the one with MPPE keys). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Here is the output of a client associating immediately after the server starts: http://dpaste.com/112843/ Also, I am new to IOS, and there was no debug aaa on command. If you look closely at the top of the file I previously posted, I turned on about half of the options I thought relevant to debugging to aaa. I don't know if this would have an effect one showing what was relevant. I really appreciate the help everyone has given thus far. -William On Sun, Jan 25, 2009 at 04:23, t...@kalik.net wrote: The full log may be viewed at: http://dpaste.com/112610/ Also, I have posted my eap.conf here: http://dpaste.com/112615/ and radius.conf here: http://dpaste.com/112616/ and I don't think anyone would need it, but here is clients.conf as well: http://dpaste.com/112618/ You have posted everything apart from the most important thing - radiusd -X debug. I can see those tunnel attributes on Cisco debug but not in the Access-Accept packet (the one with MPPE keys). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
William Graeber wrote: Here is the output of a client associating immediately after the server starts: http://dpaste.com/112843/ You're not assigning the attributes that tell the server to put the user into a VLAN. Are you using the *default* configuration files in 2.0.5? It looks like you're not, because editing the users file *should* get it to work. It looks like you need to either: - set use_tunneled_reply = yes in eap.conf, peap{} sub-section - add the set VLAN configuration to the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have modified eap.conf and added use_tunneled_reply = yes in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ Could you expand on the set VLAN option in the post-auth section? I have looked around a bit, but haven't found much of use. Also, I may try a vanilla install of FreeRADIUS, as I'm using the packaged version from the OpenBSD ports tree. There are a few config discrepancies, and I don't understand enough to know how they are having an effect. Thanks again, -William On Sun, Jan 25, 2009 at 12:03, Alan DeKok al...@deployingradius.com wrote: William Graeber wrote: Here is the output of a client associating immediately after the server starts: http://dpaste.com/112843/ You're not assigning the attributes that tell the server to put the user into a VLAN. Are you using the *default* configuration files in 2.0.5? It looks like you're not, because editing the users file *should* get it to work. It looks like you need to either: - set use_tunneled_reply = yes in eap.conf, peap{} sub-section - add the set VLAN configuration to the post-auth section. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have modified eap.conf and added use_tunneled_reply = yes in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ You are getting an Access-Accept with VLAN attributes now: Sending Access-Accept of id 199 to 10.0.0.254 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 100 User-Name = wgraeber MS-MPPE-Recv-Key = 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 7bb4c52ab58f1 MS-MPPE-Send-Key = 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 59d26a1100bfb EAP-Message = 0x030a0004 Message-Authenticator = 0x But AP is unhappy. Do debug dot11 aaa and see what is it complaining about. It's missing something (probably Service-Type). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Here is the output of Cisco debugging with use_tunneled_reply = yes: http://dpaste.com/113022/ Again, I really appreciate your help. -William On Sun, Jan 25, 2009 at 18:29, t...@kalik.net wrote: I have modified eap.conf and added use_tunneled_reply = yes in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ You are getting an Access-Accept with VLAN attributes now: Sending Access-Accept of id 199 to 10.0.0.254 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 100 User-Name = wgraeber MS-MPPE-Recv-Key = 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 7bb4c52ab58f1 MS-MPPE-Send-Key = 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 59d26a1100bfb EAP-Message = 0x030a0004 Message-Authenticator = 0x But AP is unhappy. Do debug dot11 aaa and see what is it complaining about. It's missing something (probably Service-Type). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I may have solved my own problem - I have contradicting encryption settings for each VLAN on the Cisco access point. I was testing the setup by bumping the user from VLAN 200 (WPA-required) to VLAN 100 (open access). I'll give this a shot and post my results. -William On Sun, Jan 25, 2009 at 22:14, William Graeber swi...@swilly.tk wrote: Here is the output of Cisco debugging with use_tunneled_reply = yes: http://dpaste.com/113022/ Again, I really appreciate your help. -William On Sun, Jan 25, 2009 at 18:29, t...@kalik.net wrote: I have modified eap.conf and added use_tunneled_reply = yes in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ You are getting an Access-Accept with VLAN attributes now: Sending Access-Accept of id 199 to 10.0.0.254 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 100 User-Name = wgraeber MS-MPPE-Recv-Key = 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 7bb4c52ab58f1 MS-MPPE-Send-Key = 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 59d26a1100bfb EAP-Message = 0x030a0004 Message-Authenticator = 0x But AP is unhappy. Do debug dot11 aaa and see what is it complaining about. It's missing something (probably Service-Type). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- William M. Graeber Furman University PMB 27335 3300 Poinsett Highway Greenville, SC 29613 864 905 9533 (Mobile) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have resolved the issue. I created a new VLAN with matching encryption settings to the default VLAN. Thank you all for helping! I have become much more familiar with the Cisco debugging procedure in the process. -William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Tom was correct, and I have changed the Tunnel-Medium-Type to 6. The corresponding radtest output shows it is correctly translated to IEEE-802. However, I am still not bumped into the correct VLAN. In the Cisco debug logs, I see these lines: *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6C0 0 0001 tunnel-medium-type(336) 4 ALL_802 *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6D4 0 0001 tunnel-type(344) 4 VLAN *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6E8 0 0009 tunnel-private-group-id(297) 3 100 *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6C0 0 0001 tunnel-medium-type(336) 4 ALL_802 *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6D4 0 0001 tunnel-type(344) 4 VLAN *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6E8 0 0009 tunnel-private-group-id(297) 3 100 The full log may be viewed at: http://dpaste.com/112610/ Also, I have posted my eap.conf here: http://dpaste.com/112615/ and radius.conf here: http://dpaste.com/112616/ and I don't think anyone would need it, but here is clients.conf as well: http://dpaste.com/112618/ I am using FreeRADIUS version 2.0.5 on OpenBSD 4.4. I'm sure that there is something simple that I am missing, but I'm new to both the RADIUS protocol and Cisco access points. I luckily was able to score several 1130ag's cheap for personal use during an auction from the presidential campaign. Thanks again, William On Fri, Jan 23, 2009 at 11:30, t...@kalik.net wrote: I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 The users are just directed to their original VLAN instead of this portion overriding it. When I try to authenticate to the access point with radtest, I get the following output: # radtest wgraeber XXX 127.0.0.1 10 XXX Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = wgraeber User-Password = XXX NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 100 Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id attributes in the console when actually authenticating and watching the output of radiusd -X on another machine. The access point *should* support this out of the box according to the Cisco specs. This is my first FreeRADIUS implementation, so I don't know if I'm missing any magic options. You have done what you were suposed to on freeradius. Do debug aaa on Cisco and see what has happened to the attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Aironet 1130ag dynamic VLAN assignment
I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 The users are just directed to their original VLAN instead of this portion overriding it. When I try to authenticate to the access point with radtest, I get the following output: # radtest wgraeber XXX 127.0.0.1 10 XXX Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = wgraeber User-Password = XXX NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 100 Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id attributes in the console when actually authenticating and watching the output of radiusd -X on another machine. The access point *should* support this out of the box according to the Cisco specs. This is my first FreeRADIUS implementation, so I don't know if I'm missing any magic options. Also, I have searched the archives and tried several suggestions to no avail (in eap.conf, copy_request_to_tunnel and use_tunneled_reply under the PEAP segment). I will happily post more configuration options / debug info if needed. Thanks in advance, William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Hi, I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 those are the attributes you want. Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = 100 a slight difference. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 The users are just directed to their original VLAN instead of this portion overriding it. When I try to authenticate to the access point with radtest, I get the following output: # radtest wgraeber XXX 127.0.0.1 10 XXX Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = wgraeber User-Password = XXX NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 100 Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id attributes in the console when actually authenticating and watching the output of radiusd -X on another machine. The access point *should* support this out of the box according to the Cisco specs. This is my first FreeRADIUS implementation, so I don't know if I'm missing any magic options. You have done what you were suposed to on freeradius. Do debug aaa on Cisco and see what has happened to the attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Date: Fri, 23 Jan 2009 11:16:55 -0500 From: William Graeber swi...@swilly.tk Subject: Cisco Aironet 1130ag dynamic VLAN assignment To: freeradius-users@lists.freeradius.org Message-ID: 1d7de5e60901230816j64dec24dhe90883e276e48...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 Tunnel-Medium-Type = IEEE-802, ^ This gets looked up in the dictionaries and the corresponding value sent in the message (in this case 6, I believe). Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dell 6248 and Dynamic VLAN Assignment
Talk to the vendor? Sent from my iPhone On 31 Oct 2008, at 01:20, Luke [EMAIL PROTECTED] wrote: Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dell 6248 and Dynamic VLAN Assignment
Dictionary value for that Tunnel-Medium-Type is IEEE-802. Ivan Kalik Kalik Informatika ISP Dana 31/10/2008, Luke [EMAIL PROTECTED] piše: Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dell 6248 and Dynamic VLAN Assignment
Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang to overcome cisco zero tag issue and for dynamic vlan assignment
[EMAIL PROTECTED] wrote: We'd like to setup the following: A workstation is booted, the supplicant asks for the credentials, the cisco switch pa sses the credentials to a freeradius server, freeradius authenticates the user to an edirectory ldap server, freeradius decides which Tunnel-Private-Group-Id to send bac k to the switch to place the user into the correct VLAN. The authentication/authorization works fine. The cisco switch accepts the returned VL AN info if we 'hard code it into the users files such as with: DEFAULT Tunnel-Private-Group-ID:1 := 901 Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802 We attempted to make the configuration more generic by setting Tunnel-Private-Group-I D equal to an LDAP attribute in ldap.attrmap. This would automatically associate the VLAN ID w/ the user. replyItem Tunnel-Private-Group-ID ourldapattribforthevlan That didn't work because freeradius wasn't associating a tag with the attribute(or wa s setting it to zero when responding to the switch. A wireshark capture confirmed the 0 tag. We attempted to add a :1 after Tunnel-Private-Group-ID, but that didn't pan o ut either. We then attempted to use unlang in the users file to accomplish the same thing. (Tunn unlang doesn't live in the users file; it lives in the config file, like so: server { authorize { preprocess ldap update reply { Tunnel-Private-Group-Id:1 := %{reply:Tunnel-Client-Endpoint} } } } el-Client-Endpoint was added to ldap.attrmap as dummy variable to hold the 'ourldapat tribforthevlan' from LDAP) DEFAULT Tunnel-Private-Group-ID:1 := `%{reply:Tunnel-Client-Endpoint}`, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802 This isn't unlang - it's just a plain files module entry. With this configuration, we tried countless combinations of backticks, single quotes, and double quotes. The best response we could send back to the switch was: Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = It looks to me like the files module was running before the ldap module. Has anyone else come across the issue with Cisco not dealing w/ 0 tags? Is there a wa I have not. RFC2868 seems pretty clear that a 0 tag is permitted. I've used vlan assignment with a cisco (formarly Airespace) WISM and it will take a 0 tag. What platform IOS version are you on? y to use unlang to pull in the variables to be used in the users file? As I say, unlang doesn't run in the users file - think of it as conditional branching and so forth for the config file. Thank you for taking the time to read this. After a couple of days of searching, we s till haven't come up w/ the correct search terms for google. Thank you, Mike Coles -- This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com http://www.opensubscriber.com/messages/freeradius-users@lists.freeradius.org/topic.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang to overcome cisco zero tag issue and for dynamic vlan assignment
We'd like to setup the following: A workstation is booted, the supplicant asks for the credentials, the cisco switch pa sses the credentials to a freeradius server, freeradius authenticates the user to an edirectory ldap server, freeradius decides which Tunnel-Private-Group-Id to send bac k to the switch to place the user into the correct VLAN. The authentication/authorization works fine. The cisco switch accepts the returned VL AN info if we 'hard code it into the users files such as with: DEFAULT Tunnel-Private-Group-ID:1 := 901 Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802 We attempted to make the configuration more generic by setting Tunnel-Private-Group-I D equal to an LDAP attribute in ldap.attrmap. This would automatically associate the VLAN ID w/ the user. replyItem Tunnel-Private-Group-ID ourldapattribforthevlan That didn't work because freeradius wasn't associating a tag with the attribute(or wa s setting it to zero when responding to the switch. A wireshark capture confirmed the 0 tag. We attempted to add a :1 after Tunnel-Private-Group-ID, but that didn't pan o ut either. We then attempted to use unlang in the users file to accomplish the same thing. (Tunn el-Client-Endpoint was added to ldap.attrmap as dummy variable to hold the 'ourldapat tribforthevlan' from LDAP) DEFAULT Tunnel-Private-Group-ID:1 := `%{reply:Tunnel-Client-Endpoint}`, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802 With this configuration, we tried countless combinations of backticks, single quotes, and double quotes. The best response we could send back to the switch was: Tunnel-Type:1 = VLAN Tunnel-Medium-Type:1 = IEEE-802 Tunnel-Private-Group-Id:1 = Has anyone else come across the issue with Cisco not dealing w/ 0 tags? Is there a wa y to use unlang to pull in the variables to be used in the users file? Thank you for taking the time to read this. After a couple of days of searching, we s till haven't come up w/ the correct search terms for google. Thank you, Mike Coles -- This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com http://www.opensubscriber.com/messages/freeradius-users@lists.freeradius.org/topic.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
This is the catch, I swear we tried at some point, apparently, we were missing something else at that time. Now everything worked out now. Thanks all for reply. Have a nice day. Regards, shiling On Nov 7, 2007 4:49 PM, [EMAIL PROTECTED] wrote: Hi, userx Cleartext-Password := hello Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 552 Tunnel-Medium-Type = IEEE-802, where did you get just '802' from? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
Hi, We read all dynamic vlan related posts in this mailing list archive, but still can't get it to work even the authentication is working good. in your eap.conf have you set the copy to inner tunnel to be yes? on your switch, have you set the device to accept server defined VLANs? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
We read all dynamic vlan related posts in this mailing list archive, but still can't get it to work even the authentication is working good. We are trying to get dynamic vlan assigmnet from freeradius version with local user database using eap-ttls-pap. But client PC was able to authenticator, but is not in the intented VLAN(dynamic vlan assignment is not working). Any suggestion is highly appreciated. FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu DEBUG INFO TTLS: Got tunneled reply RADIUS code 2 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 552 Wed Nov 7 11:48:33 2007 : Debug: TTLS: Got tunneled Access-Accept Wed Nov 7 11:48:33 2007 : Debug: rlm_eap: Freeing handler Wed Nov 7 11:48:33 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall[authenticate]: module eap returns ok for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall: leaving group authenticate (returns ok) for request 29 Sending Access-Accept of id 4 to 128.186.252.8 port 1645 USER FILE userx Cleartext-Password := hello Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 552 debug dot1x all in cisco showed that switching is successfully assign vlan 0 the fa0/2(dot1x enabled port) after getting authenticated. We are thinking this means vlan is not communicated between the freeradius and switch, but we don't know why. The test switch is cisco3550 running ios 12.2(35)SE. I have ( also tried the configuration in freeradius wiki, the same result) aaa new model aaa authorization network default group radius aaa authentication dot1x default group radius and dot1x system-auth-control fa0/2 is my test port. med-res-t#sh run Building configuration... Current configuration : 3450 bytes ! ! Last configuration change at 11:19:46 eastern Wed Nov 7 2007 by cisco ! NVRAM config last updated at 11:17:30 eastern Wed Nov 7 2007 by cisco ! version 12.2 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname med-res-t ! logging buffered 65536 debugging no logging console enable secret 5 * ! username cisco privilege 15 secret 5 *** aaa new-model aaa authentication login default local aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius ! aaa session-id common clock timezone eastern -5 ip subnet-zero ip domain-name test.edu ! ip ssh version 2 vtp mode transparent ! ! ! ! ! dot1x system-auth-control no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 100,200 ! ! vlan 552 name test-fwsm-lan ! vlan 553 name retricted-vlan ! ! interface FastEthernet0/1 switchport mode dynamic desirable ! interface FastEthernet0/2 switchport mode access dot1x pae authenticator dot1x port-control auto spanning-tree portfast ! ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 543,552 switchport mode trunk switchport nonegotiate ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan552 ip address 10.128.252.8 255.255.255.0 ! ip default-gateway 10.128.252.1 ip classless ip http server ip http secure-server ! ! radius-server host 10.128.33.163 auth-port 1612 acct-port 1646 key 7 070C285F4D06 radius-server source-ports 1645-1646 ! control-plane ! line con 0 line vty 5 15 ! ntp clock-period 17179941 ntp server 10.128.8.8 end med-res-t# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
On Nov 7, 2007 1:38 PM, [EMAIL PROTECTED] wrote: Hi, We read all dynamic vlan related posts in this mailing list archive, but still can't get it to work even the authentication is working good. in your eap.conf have you set the copy to inner tunnel to be yes? Are you referring to ttls { copy_request_to_tunnel = yes } From reading the comment about that, this looks related to request, instead of reply. Thanks. Shiling on your switch, have you set the device to accept server defined VLANs? I believe in cisco aaa authorization network default group radius will enable switch to accept radius defined VLAN. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
Hi, on your switch, have you set the device to accept server defined VLANs? I believe in cisco aaa authorization network default group radius will enable switch to accept radius defined VLAN. err, no. all that does is say 'use the radius group to authorize network' you still have to configure the edge ports for 802.1X or nothing will happen dot1x port-control auto is something more useful I'd suggest some basic 802.1X cisco guideeg http://www.ciscopress.com/articles/article.asp?p=29600seqNum=3rl=1 but you should be doing your own homework - or paying us consultancy rates for doing it for you ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
Hi, userx Cleartext-Password := hello Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 552 Tunnel-Medium-Type = IEEE-802, where did you get just '802' from? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/PEAP, LDAP and Dynamic VLAN Assignment HOW-TO
Hi, i would make this architecture: - authentication EAP/PEAP with MS-CHAPv2 with users in LDAP database. Better with encrypted password, but not necessary. - Every users have an attribute or something to assign it a VLAN. I have OpenLDAP and Freeradius 1.1.3, the distributuion presents in CentOS 5. Is it possible? Some suggestions? -- Vincenzo Agosti Università degli Studi di Salerno Ufficio Sistemi Tecnologici Coordinamento Servizi Informatici Via Ponte don Melillo, s.n.c. 84084 - Fisciano (SA) Tel. +39 089 96 6101 - 9776 Fax +39 089 96 6368 - 9806 Cell. +39 335 427674 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP/PEAP, LDAP and Dynamic VLAN Assignment HOW-TO
Hi, Hi, i would make this architecture: - authentication EAP/PEAP with MS-CHAPv2 with users in LDAP database. Better with encrypted password, but not necessary. Either: * use Clear-text passwords in the userpassword attribute * OR add an Ldap attribute that will hold the NTML hash version of the user password (with leading '0x'), then use ldap.attrmap to map NT-Password to your LDAP ntlm password attribute - Every users have an attribute or something to assign it a VLAN. You can use radiusReplyItem LDAP attribute OR create several radius profiles (one for each VLAN) and assign the one that corresponds to the user In the users file (for instance using LDAP-groups) I have OpenLDAP and Freeradius 1.1.3, the distributuion presents in CentOS 5. Is it possible? Some suggestions? Yes it is possible in several ways... Find your own... HTH, Thibault -- Vincenzo Agosti Università degli Studi di Salerno Ufficio Sistemi Tecnologici Coordinamento Servizi Informatici Via Ponte don Melillo, s.n.c. 84084 - Fisciano (SA) Tel. +39 089 96 6101 - 9776 Fax +39 089 96 6368 - 9806 Cell. +39 335 427674 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment
I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
Oh yes You can use the eth port as a trunk, and the radio can either tie different SSIDs to VLANs, or different users can be put into different VLANs if you are using some sort of authentication. Willey Kurt D wrote: I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED]] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a "pool" of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
(this is now kind of off the topic of radius but... ) Yes, it is a bit heavy What this is really doing is kind of sort of mimicking private VLANs in the Catalyst sense. Where each user in a VLAN cannot see each other, but they can all send traffic towards one assigned port... I am playing chicken with the Cisco development team. By the time I run into a hard limit somewhere, I am hoping they will have coded private VLANs into the Aironets Artur Hecker wrote: i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
IIRC, the Aironets can only take either 8 or 16 VLANs. You may be better off using the filtering functions in the Aironet to restrict the forwarding of frames between wireless stations, instead of using VLANs like this. josh. On Tue, 2004-05-25 at 15:27, Dan Armstrong wrote: (this is now kind of off the topic of radius but... ) Yes, it is a bit heavy What this is really doing is kind of sort of mimicking private VLANs in the Catalyst sense. Where each user in a VLAN cannot see each other, but they can all send traffic towards one assigned port... I am playing chicken with the Cisco development team. By the time I run into a hard limit somewhere, I am hoping they will have coded private VLANs into the Aironets Artur Hecker wrote: i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
well, i thought Dan was speaking about a new VLAN per user not per AP. this is possible with Cisco APs. as far as i know, 1200 and 1100 can do trunking. ciao artur Willey Kurt D wrote: I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment
I've done trunking of more than 3 vlans with the 1200 series. I configured one as my native network management vlan, and two others bound to different SSIDs. I think it's possible to have even more than that, but only one Guest mode VLAN. -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment well, i thought Dan was speaking about a new VLAN per user not per AP. this is possible with Cisco APs. as far as i know, 1200 and 1100 can do trunking. ciao artur Willey Kurt D wrote: I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
Why not use public secure password forwarding? Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses. http://www.cisco.com/en/US/products/hw/wireless/ps4570/ products_configuration_guide_chapter09186a00802085c3.html#wp1038494 On May 25, 2004, at 8:27 AM, Dan Armstrong wrote: (this is now kind of off the topic of radius but... ) Yes, it is a bit heavy What this is really doing is kind of sort of mimicking private VLANs in the Catalyst sense. Where each user in a VLAN cannot see each other, but they can all send traffic towards one assigned port... I am playing chicken with the Cisco development team. By the time I run into a hard limit somewhere, I am hoping they will have coded private VLANs into the Aironets Artur Hecker wrote: i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment
I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html