Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... Add DEFAULT Auth-Type := Reject to the bottom of your authorized_macs file. You might as well move the mac address check up above eap in the authorize section. There's no point going through all the eap processing if you're just going to reject afterwards based on something that could easily have been done first. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... DEFAULT Auth-Type := Reject I misread (and replied before I'd seen the other thread from your duplicate message...) - to set the vlan for any users that *don't* match other entries, then add this at the bottom: DEFAULT Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 999 To Reject, you can do it in authorize. To set the VLAN, as Alan said, post-auth is the better place. Use := to force the values to be set. = will not change the values if already set by the inner tunnel, etc. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: First of all, sorry if my email is very long, I am just trying not to leave any important details out. :) That's good. So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. They key thing to remember is that they are two independent pieces. Get them working independently. Then, put the pieces together. I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi Alan and thanks for the reply. On 12 October 2013 13:42, Alan DeKok al...@deployingradius.com wrote: So far, I managed to do the dynamic VLAN assignment, but cannot seem to get it to work together with the MAC checking. Get them working independently. Then, put the pieces together. I managed to get them to work independently, it's the putting together phase that I can't quite crack... :) I can get an auth to be refused if the MAC is not listed in the authorized_macs file, but can't quite put the two things together. Perhaps I am a bit confused with regards to where to put the MAC check. Put it into authorize. If I put the MAC check in the authorize section, then I can allow users to use only the devices in the authorized_macs file (unless I am missing something). I would like the users to use any device, but just have a limited access to the network if the device isn't listed in the authorized_macs file... For now, I just managed to get the check to work only on the authorization phase in sites-enabled/default, but then the VLAN assignment, which is done in the internal-tunnel, seems to overwrite my changes. That can be fixed. So I tried to put the MAC check in the post-auth section in the default file, but the MAC check doesn't seem to ever work. Because the users file works differently there. Can you point me to some part of the docs that explain what is different, please? Here are the relevant config files: Which seem to use a reasonable approach. As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't overwritten by the authorized_macs check... I think part of the problem is you're juggling a lot. You also mentioned MACs and VLANs... and then halfway through the message Oh, there's an inner-tunnel, too. Stop with all of your solutions. Instead, write down exactly what you have. Write down what you want to happen in plain English. Write down what should happen, and when. Then, convert it to the configuration. Your system is using TTLS. OK... I'll ignore the question of *why* you're authenticating unknown MACs. That seems weird. What I am trying to achieve is the following: 1. Authenticate the users through LDAP 2. IF the user is using a device listed in the authorized_macs file, then assign a VLAN which depends on the user's LDAP group. 3. IF the user is using another (their own), allow them to access an isolated VLAN, which doesn't allow the device to talk to our servers. This will allow my colleagues to connect to the Internet with their devices, but not to mess around with our servers in case there is malware installed on them. Does this make sense? The debug log shows this: [ttls] Got tunneled reply code 2 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 40 Where did that VLAN come from? Why is it there? If you don't know, that's a huge problem. SO SORRY! I pasted twice the sites-available/default file! It comes from the post-auth section in the inner-tunnel file. In inner-tunnel, I check if the user belongs to the dept_tech_corporate_it group, and if so, I update the outher request by assigning a VLAN with ID 40. This part of the config works properly, as showed by the following few lines of debug output: rlm_ldap::ldap_groupcmp: User found in group cn=dept_tech_corporate_it,ou= Groups,c=gb,dc=mindcandy,dc=com [ldap] ldap_release_conn: Release Id: 0 ? Evaluating (LDAP-Group == cn=dept_tech_corporate_it,ou=Groups,c=gb,dc=mindcandy,dc=com) - TRUE Generally, the policies should be arranged like this: authorize: allow only known kinds of authentication decide which authentication method to use grab known good passwords authenticate: run authentication methods post-auth: return attributes for a successfully authenticated user In your case, I'd say return to a default configuration. Then, get the MAC address filtering working in post-auth. Once that's working, add VLAN assignment. That seems to be an approach similar to the one I am trying to use. I would like to do the check of the MAC address for last, so that I can associate the right VLAN to the user. But for some reason this check doesn't seem to work. I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. If I could get any pointers towards a working solution, I'd be really grateful. Thanks, Fabrizio - List info/subscribe
Re: Dynamic VLAN assignment depending on LDAP user group and MAC address
Fabrizio Vecchi wrote: I guess at the end of the day my question boils down to the following: where should I put the MAC check, so that the user gets assigned to the right VLAN? In post-auth. If I put it in the authorize part of sites-enabled/default, the VLAN update request will get overwritten by the post-auth part of sites-enabled/inner-tunnel; The default configuration for the inner-tunnel does *not* set a VLAN in post-auth. So one configuration you added prevents you from using another configuration you added. and if I put it in the post-auth of the file sites-enabled/default file (which gets executed after inner-tunnel), the authorized_macs function always returns noop. Delete the set VLAN stuff from the post-auth of the inner tunnel. As you've seen, it breaks the other configuration you're trying to use. When you put authorized_macs into the post-auth, it runs the post-auth processing. Which doesn't read the users file... as the users file is done only in the authorize section. You should be able to put authorized_macs.authorize in the post-auth section. That will make it process the users file, and do what you want. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi everyone.
First of all, sorry if my email is very long, I am just trying not to leave
any important details out. :)
In my Company, I'd like to setup a freeradius based wifi authentication
following the same principle:
First check if a user is using the Company's laptop (or phone) by checking
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a public VLAN, which cannot reach our internal servers.
This is basically to take care of users who connect to our network with
their own devices, on which we don't have control and that could spread all
sorts of malware in the internal network.
So far, I managed to do the dynamic VLAN assignment, but cannot seem to get
it to work together with the MAC checking.
I can get an auth to be refused if the MAC is not listed in the
authorized_macs file, but can't quite put the two things together. Perhaps
I am a bit confused with regards to where to put the MAC check. For now, I
just managed to get the check to work only on the authorization phase in
sites-enabled/default, but then the VLAN assignment, which is done in the
internal-tunnel, seems to overwrite my changes.
So I tried to put the MAC check in the post-auth section in the default
file, but the MAC check doesn't seem to ever work.
Here are the relevant config files:
Radius version:
2.1.10+dfsg-2+squeeze1 (running on Debian)
--- policy.conf
policy {
forbid_eap {
if (EAP-Message) {
reject
}
}
permit_only_eap {
if (!EAP-Message) {
if (!%{outer.request:EAP-Message}) {
reject
}
}
}
deny_realms {
if (User-Name =~ /@|\\/) {
reject
}
}
do_not_respond {
update control {
Response-Packet-Type := Do-Not-Respond
}
handled
}
cui_authorize {
update request {
Chargeable-User-Identity:='\\000'
}
}
cui_postauth {
if (FreeRadius-Proxied-To == 127.0.0.1) {
if (outer.request:Chargeable-User-Identity) {
update outer.reply {
Chargeable-User-Identity:=%{md5:%{config:cui_hash_key}%{User-Name}}
}
}
}
else {
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity=%{md5:%{config:cui_hash_key}%{User-Name}}
}
}
}
}
cui_updatedb {
if (reply:Chargeable-User-Identity) {
cui
}
}
cui_accounting {
if (!Chargeable-User-Identity) {
update control {
Chargable-User-Identity := %{cui: SELECT cui FROM cui
WHERE clientipaddress = '%{Client-IP-Address}' AND callingstationid =
'%{Calling-Station-Id}' AND username = '%{User-Name}'}
}
}
if (Chargeable-User-Identity (Chargeable-User-Identity != )) {
cui
}
}
rewrite_calling_station_id {
if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
%{1}-%{2}-%{3}-%{4}-%{5}-%{6}
}
}
else {
noop
}
}
}
--- modules/files:
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
files second_files {
usersfile = ${confdir}/second_users
acctusersfile = ${confdir}/second_acct_users
preproxy_usersfile = ${confdir}/second_preproxy_users
}
files authorized_macs {
key = %{tolower:%{Calling-Station-ID}}
usersfile = ${confdir}/authorized_macs
compat = no
}
---authorized_macs
e8-99-c4-a2-39-36
Reply-Message = Device with MAC Address %{Calling-Station-Id} authorized
for network access
--- sites-available/default
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
--- sites-available/inner-tunnel
authorize {
preprocess
auth_log
suffix
eap {
ok = return
Dynamic VLAN assignment depending on LDAP user group and MAC address
Hi everyone.
First of all, sorry if my email is very long, I am just trying not to leave
any important details out. :)
In my Company, I'd like to setup a freeradius based wifi authentication
following the same principle:
First check if a user is using the Company's laptop (or phone) by checking
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a public VLAN, which cannot reach our internal servers.
This is basically to take care of users who connect to our network with
their own devices, on which we don't have control and that could spread all
sorts of malware in the internal network.
So far, I managed to do the dynamic VLAN assignment, but cannot seem to get
it to work together with the MAC checking.
I can get an auth to be refused if the MAC is not listed in the
authorized_macs file, but can't quite put the two things together. Perhaps
I am a bit confused with regards to where to put the MAC check. For now, I
just managed to get the check to work only on the authorization phase in
sites-enabled/default, but then the VLAN assignment, which is done in the
internal-tunnel, seems to overwrite my changes.
So I tried to put the MAC check in the post-auth section in the default
file, but the MAC check doesn't seem to ever work.
Here are the relevant config files:
Radius version:
2.1.10+dfsg-2+squeeze1 (running on Debian)
--- policy.conf
(...)
rewrite_calling_station_id {
if (Calling-Station-Id =~
/([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request {
Calling-Station-Id :=
%{1}-%{2}-%{3}-%{4}-%{5}-%{6}
}
}
else {
noop
}
}
}
--- modules/files:
(...)
files authorized_macs {
key = %{tolower:%{Calling-Station-ID}}
usersfile = ${confdir}/authorized_macs
compat = no
}
---authorized_macs
e8-99-c4-a2-39-36
Reply-Message = Device with MAC Address %{Calling-Station-Id} authorized
for network access
--- sites-available/default
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
--- sites-available/inner-tunnel
authorize {
preprocess
auth_log
suffix
eap {
ok = return
}
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
eap
}
preacct {
preprocess
acct_unique
suffix
}
accounting {
sql {
fail = 1
}
}
session {
radutmp
sql {
fail = 1
}
}
post-auth {
rewrite_calling_station_id
authorized_macs
if (!ok) {
update reply {
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 36
}
}
sql {
fail = 1
}
exec
Post-Auth-Type REJECT {
attr_filter.access_reject
}
}
pre-proxy {
}
post-proxy {
eap
}
And here is an authentication example, with a device not listed in
authorized_macs:
(...)
rad_recv: Access-Request packet from host 192.168.59.202 port 32769,
id=129, length=345
User-Name = fabrizio.vecchi
Calling-Station-Id = 60-fa-cd-47-1a-44
Called-Station-Id = 24-01-c7-28-aa-d0:MindCandyAuth
NAS-Port = 1
Cisco-AVPair = audit-session-id=ca3ba8c000dede1c5852
NAS-IP-Address = 192.168.59.202
NAS-Identifier = Cisco_6e:1f:4f
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 36
EAP-Message =
0x0206005f1580005517030100506509e5008fb8b33c992bdddc007472c4f5d210aa8d535f747241bc99c4cb8785066c7ef4f262c470986626e1d31efc71f0d3b42b80663afc9fdc68715d1ee49c02af509c6b12de0bca5bf5501cba
State = 0xf1f3e6cbf5f5f3adc22ef694ca5dfcba
Message-Authenticator = 0xeff670953d883040f13b8dfc42d39849
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail
Wifi APs Models compatible with by username dynamic vlan assignment
Hello, I want to perform dynamic VLAN assignment by username through wifi access. I set up this configuration few time ago but didn't works. I want to know which WiFi APs are compatible and/or what is the term to search for in devices specifications ... Regards, -- Matthew Pideil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wifi APs Models compatible with by username dynamic vlan assignment
On 3 Oct 2013, at 10:57, matthew pideil matthew.pid...@teledetection.fr wrote: Hello, I want to perform dynamic VLAN assignment by username through wifi access. I set up this configuration few time ago but didn't works. I want to know which WiFi APs are compatible and/or what is the term to search for in devices specifications ... Look for claimed compliance with RFC3580/RFC4675 in the specifications of your Access-Point. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Fri, Jul 19, 2013 at 06:03:31PM +0200, Dario Palmisano wrote: RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs. So it seems not to be related to the IOS version, is it? Is there any way to overcome this somehow, if not... Do you actually need multiple bssids? mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic vlan assignment
Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. I will appreciate any suggestion you would like to provide Thanks and regards Dario P.S.: I know the request is quite generic, but I am ready to provide radius log, or configuration files. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. there are hundreds of sites using this sort of configuration for eduroam - so its perfectly possible and fine (and standard!) so you're going wrong somewhere. so, thats the piece of mind part. where has it gone wrong? well, firstly, is there DHCP etc on the VLAN this client is being dropped onto? have you tested the network? what happens if the AP only handles that VLAN? is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. are you returning ALL the VLAN attributes needed to assign VLAN on the AP? not JUST the VLAN number..name ah yes, are you sending NAME or VLAN int he VLAN tag? are you sending the replys from the tunnel = check eap.conf settings! debug output helps a lot so yes, send it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en Thanks for your quick answer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
You are right, I know! On Friday 19 July 2013 15:52:43 a.l.m.bu...@lboro.ac.uk wrote: Hi, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. there are hundreds of sites using this sort of configuration for eduroam - so its perfectly possible and fine (and standard!) so you're going wrong somewhere. so, thats the piece of mind part. where has it gone wrong? well, firstly, is there DHCP etc on the VLAN this client is being dropped onto? have you tested the network? what happens if the AP only handles that VLAN? The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 In this case the user is placed in the vlan 220 (the statically configured in the accesspoint). is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running Cisco IOS Software, C1130 Software (C1130-K9W7-M), Version 12.4(10b)JDA3, RELEASE SOFTWARE (fc1) I will try to verify what you say on the cisco site. My accesspoints are End Of Life, I do not know if any new IOS version has been developed to eventually correct the problem you say. are you returning ALL the VLAN attributes needed to assign VLAN on the AP? not JUST the VLAN number..name ah yes, are you sending NAME or VLAN int he VLAN tag? number are you sending the replys from the tunnel = check eap.conf settings! eap.conf (in peap stanza) says: copy_request_to_tunnel = yes use_tunneled_reply = yes debug output helps a lot so yes, send it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks for your directions (many) Dario - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On 19 Jul 2013, at 15:10, Dario Palmisano dario.palmis...@icgeb.org wrote: On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en For everyone following along at home: Sending Access-Accept of id 189 to 172.16.254.45 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 220 User-Name = palmi MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 EAP-Message = 0x030a0004 Message-Authenticator = 0x Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? Some also require you to send back 'Service-Type = Framed-User'. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 218 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
Hi, Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en please dont ask me to visit random web sites that require to to click on things etc. just email the output to this list. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Friday 19 July 2013 16:29:57 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 15:10, Dario Palmisano dario.palmis...@icgeb.org wrote: On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote: On 19 Jul 2013, at 14:37, Dario Palmisano dario.palmis...@icgeb.org wrote: Hello Everybody, I am configuring my freeradius to be integrated in the EDUROAM federation. It works when the VLAN (as configured in the accesspoint) is statically assigned. Now I would like to implement a dynamic vlan assignment on a per user basis; in this case the Macintosh I am using for test gets authenticated but is not able to get the ip address frm DHCP (it shows as 169.254.120.248), so remaing isolated. I carefully followed instructions (regarding the accesspoint and freeradius) and searched the web for a possible reason, but unsuccessfully. I am not sure the problem is not in the accesspoint configuration (a CISCO AP1131AG), anyway the accesspoint receives the indication to use the specified vlan. You want to post the contents of an Access-Accept so we can check you're sending the correct attributes Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Here you can download the (almost complete) debug log. Near the end I added a text to make evident when I disconnected. http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p hp?lang=en For everyone following along at home: Sending Access-Accept of id 189 to 172.16.254.45 port 1645 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := 220 User-Name = palmi MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 EAP-Message = 0x030a0004 Message-Authenticator = 0x Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? Some also require you to send back 'Service-Type = Framed-User'. Yes vlan 220 is assigned (statically) to XXX-WPA SSID. If file users contains: palmi Huntgroup-Name == WIFI, Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 and I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it does not work. If I connect to SSID XXX-ER (assigned in accesspoint to vlan 218) it works. If file users contains: palmi Huntgroup-Name == WIFI, Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 220 if I connect to SSID XXX-ER (assigned in accesspoint to vlan 218), it does not work, if I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it works. Modifying users file as suggested: palmi Huntgroup-Name == WIFI, Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Service-Type := Framed-User, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-ID := 220 did not change the result. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Friday 19 July 2013 16:54:13 a.l.m.bu...@lboro.ac.uk wrote: Hi, The specific configuration works fine I remove the following line from users file: Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-ID = 218 Same result, do not get the ip, it is isolated. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote: is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running If you have mbssid configured on the AP then user cannot be switched to a different vlan than the one bound to the ssid this user is connected to. Can you actually check if/how the users is associated on the AP? show dot11 associations shows the associated clients and show dot11 associations mac address shows the specific client detail information including the vlan. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
At the end, thanks to the list suggestions I found in the cisco docs the sentence: Keep these guidelines in mind when configuring multiple BSSIDs: RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs. So it seems not to be related to the IOS version, is it? Is there any way to overcome this somehow, if not... Thanks everybody for the kind cooperation Best regards Dario On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote: is this a 'fat/autonomous' AP? if so, then only latest firmware can handle multiple VLANS per 802.1X SSID with multiple BSSIDs present. This could be the problem, I found something in the Cisco documentation but was unsure the problem could be this. The accesspoint is running If you have mbssid configured on the AP then user cannot be switched to a different vlan than the one bound to the ssid this user is connected to. I have such configuration! Can you Can you actually check if/how the users is associated on the AP? show dot11 associations shows the associated clients and show dot11 associations mac address shows the specific client detail information including the vlan. mk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Dario Palmisano ICGEB Computer System Network Administrator Tel: +39 040 3757330 Fax: +39 040 226555 E-Mail: dario.palmis...@icgeb.org International Centre for Genetic Engineering and Biotechnology Area Science Park, Padriciano 99, I-34149 Trieste, ITALY __ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment
I'm sure there was some late in the day ios updates for 1130 series AP this stuff works with capwap/lwapp 1131 anyway, if MBSSID is not supported with dynamic vlan assignment so don't use mbssid, use guest mode instead. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys I had to also set the *use_tunneled_reply=yes* in the eap.conf to get the Dynamic vlan assignment to work On 12 July 2013 19:42, val john valjohn1...@gmail.com wrote: Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell a.cudba...@freeradius.orgwrote: On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic vlan assignment with ldap groups
Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Please advice Thank You John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory + LDAP + groups for dynamic VLAN assignment
Am Mittwoch, 9. Januar 2013, 16:51:22 schrieb Matthew Ceroni:
Hi:
I am using FreeRadius version 2.1.12 on CentOS6.
I am authenticating against Active Directory (that works). And authorizing
against LDAP (that works as well).
I am trying to return attributes, used for VLAN assignment, based on the
usersDN.
In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the
following
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
if (control:Ldap-UserDn =~ /OU=QA/) {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 7
}
}
elsif (control:Ldap-UserDn =~ /OU=IT/) {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 2
}
}
else {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 21
}
}
In the authorize section. That works, when authorize is done it queries
LDAP successfully.
Looking through the radius debug I see the IF statements processing:
rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0,
length=122
User-Name = mceroni
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020c016d6365726f6e69
Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = mceroni, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] No '\' in User-Name = mceroni, looking up realm NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for mceroni
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - mceroni
[ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(samAccountName=mceroni)
[ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local - ou=Clairmail
OU,dc=clairmail,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to cmad01.clairmail.local:389, authentication 0
[ldap] bind as svnadmin@clairmail.local/iBis93sLit+ to
cmad01.clairmail.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with
filter (samAccountName=mceroni)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user mceroni authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (control:Ldap-UserDn =~ /OU=QA/)
? Evaluating (control:Ldap-UserDn =~ /OU=QA/) - FALSE
++? if (control:Ldap-UserDn =~ /OU=QA/) - FALSE
++? elsif (control:Ldap-UserDn =~ /OU=IT/)
? Evaluating (control:Ldap-UserDn =~ /OU=IT/) - TRUE
++? elsif (control:Ldap-UserDn =~ /OU=IT/) - TRUE
++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...}
+++[reply] returns ok
And it appears to set the attributes:
+[pap] returns noop
++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/)
expand: %{request:User-Name} - mceroni
? Evaluating (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) -
FALSE
++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) - FALSE
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 48400
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = 2
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x2a1689d42a17904c9b87561fac99b7b3
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from
Active Directory + LDAP + groups for dynamic VLAN assignment
Hi:
I am using FreeRadius version 2.1.12 on CentOS6.
I am authenticating against Active Directory (that works). And authorizing
against LDAP (that works as well).
I am trying to return attributes, used for VLAN assignment, based on the
usersDN.
In my /etc/raddb/sites-enabled/default (and inner-tunnel) I have the
following
#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
if (control:Ldap-UserDn =~ /OU=QA/) {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 7
}
}
elsif (control:Ldap-UserDn =~ /OU=IT/) {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 2
}
}
else {
update reply {
Tunnel-Type:1 := 13
Tunnel-Medium-Type:1 := 6
Tunnel-Private-Group-Id:1 := 21
}
}
In the authorize section. That works, when authorize is done it queries
LDAP successfully.
Looking through the radius debug I see the IF statements processing:
rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=0,
length=122
User-Name = mceroni
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = CONNECT 11Mbps 802.11b
EAP-Message = 0x020c016d6365726f6e69
Message-Authenticator = 0xc429bf6a61dfc3cf27f1b6dc84f4e558
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = mceroni, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[ntdomain] No '\' in User-Name = mceroni, looking up realm NULL
[ntdomain] No such realm NULL
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for mceroni
[ldap] expand: %{Stripped-User-Name} -
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - mceroni
[ldap] expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -
(samAccountName=mceroni)
[ldap] expand: ou=Clairmail OU,dc=clairmail,dc=local - ou=Clairmail
OU,dc=clairmail,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to cmad01.clairmail.local:389, authentication 0
[ldap] bind as svnadmin@clairmail.local/iBis93sLit+ to
cmad01.clairmail.local:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in ou=Clairmail OU,dc=clairmail,dc=local, with
filter (samAccountName=mceroni)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that the
user is configured correctly?
[ldap] user mceroni authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++? if (control:Ldap-UserDn =~ /OU=QA/)
? Evaluating (control:Ldap-UserDn =~ /OU=QA/) - FALSE
++? if (control:Ldap-UserDn =~ /OU=QA/) - FALSE
++? elsif (control:Ldap-UserDn =~ /OU=IT/)
? Evaluating (control:Ldap-UserDn =~ /OU=IT/) - TRUE
++? elsif (control:Ldap-UserDn =~ /OU=IT/) - TRUE
++- entering elsif (control:Ldap-UserDn =~ /OU=IT/) {...}
+++[reply] returns ok
And it appears to set the attributes:
+[pap] returns noop
++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/)
expand: %{request:User-Name} - mceroni
? Evaluating (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) -
FALSE
++? if (%{request:User-Name} =~ /^host\/(.*).clairmail.local$/) - FALSE
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 48400
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 = 2
EAP-Message = 0x010100061920
Message-Authenticator = 0x
State = 0x2a1689d42a17904c9b87561fac99b7b3
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 48400, id=1,
length=250
User-Name = mceroni
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = 02-00-00-00-00-01
Framed-MTU = 1400
LDAP Groups and Dynamic VLAN assignment
hi guys,
i want to assing VLAN based on groups entry and users on LDAP server.
Actually my schema is divided in this way:
ou=groups
-- cn=admin-vlan (with radiusProfile and items to set VLAN ID)
-- cn=dev-vlan
ou=people
-- cn=testusers (that is a uniqueMember of admin-vlan)
the only configuration that works is:
ldap conf:
ldap server1 {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = x.x.x.x
identity = cn=Administrator,dc=mydomain,dc=com
password = passs
basedn = dc=mydomain,dc=com
filter = (uid=%{%{Stripped-User-Name}:-%{User-Name}})
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn})))
}
users file:
DEFAULT Ldap-Group == admin-vlan
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 10
DEFAULT Ldap-Group == dev-vlan
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 9
DEFAULT LDAP-Group != admin-vlan, Auth-Type := Reject
DEFAULT LDAP-Group != dev-vlan, Auth-Type := Reject
there is a possibility to get Tunnel-Private-Group-ID and others from the
LDAP groups and not users file?
i've read many times docs/rlm_ldap but cant get out of this problem :(
Is it possible to do this configuration in conjunction with redundant ldap
configuration??
thanks!
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/LDAP-Groups-and-Dynamic-VLAN-assignment-tp4639157p4639157.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP Groups and Dynamic VLAN assignment
stich86 stic...@gmail.com wrote: there is a possibility to get Tunnel-Private-Group-ID and others from the LDAP groups and not users file? i've read many times docs/rlm_ldap but cant get out of this problem :( Next time, try the freeradius-users@ archive too (true of *any* mailing list)? Is it possible to do this configuration in conjunction with redundant ldap configuration?? http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg71133.html Cheers -- Alexander Clouter .sigmonster says: Is there life before breakfast? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote: Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html First things first, did you get it all working? If not, start there. When I say 'lower the load', all it does is reduce the number of EAP packets from about 12 to 4 that are needed for a session resumption; but also means you only need two LDAP lookups rather that 12. So your AD load will go from 0.01 to 0.01 or something. I am bigging up the numbers more than it is worth (although the latency bit is possibly handy for roaming devices). I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in auth virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base ou=people,dc=foo,dc=edu with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding The eDir bit's are probably not needed as you are using mschap with those 'ntPassword' attributes. eDir has 'universal password' which is a sales monkey's way of saying the password is available in plaintext if required. Sounds like to me you do not currently have FreeRADIUS setup working the way you want it to? I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Looks like 'employeeStatus' should go in as part of your user filter, but to do the others I would need to generalise my Perl module. Easily done, but I'm not going to do it before I know actually have it already working. :) /me pats sigmonster and gives it a cookie Cheers -- Alexander Clouter .sigmonster says: Success is a journey, not a destination. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
I believe I resolved this. I used eapol_test to get all wanted
result, and will try on real NAS later on.
The following is what I did. Basically I followed Alexander's example,
Modified peap section in eap.conf to use another virtual server auth
instead of inner-tunnel virtual server. I almost blindly copied
Alexander's example in auth server except I removed the reject for the
realm checks.
The ldap cache pm is not needed in my case since I do not query
windows AD via LDAP to get their attributes. If I want to do ldap
after ntlm against AD, then Alexander's pm might be needed.
Then I want to map certain attribute like employeeStatus from our
iPlanet ldap server to some radius attribute, so I can manipulate it
in the post-auth section.
I put the following line in etc/raddb/dictionary
ATTRIBUTE My-Local-employeeStatus 3000string
and the following line in etc/raddb/ldap.attrmap
#FOO specific attributes
replyItem My-Local-employeeStatus employeeStatus
Without these two line addition, radius will complain unknown attribute.
Then in the post-auth section
#default will have no Tunnel attribute/value, instead, they will be
configured on
#the NAS to go to student VLANs.
# this will cover my ldap ntPassword authentication/authorization
#facstaff have employeeStatus set while student does not
if ( %{User-Name} =~ /@/ %{reply:My-Local-employeeStatus} ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff
}
}
#this will cover my AD ntlm auth, People in AD are all facstaff
if ( %{User-Name} !~ /@/ ) {
update reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff
}
}
In this way, people can map arbitrary attribute from ldap to radius,
if not in dictionary/ldap.attrmap, then just defined your own. Then
you have flexibility of using these attribute/value in your logic at
post-auth section.
Thanks all for the hints and help!
Schilling
On Tue, Jan 25, 2011 at 4:23 AM, Alexander Clouter a...@digriz.org.uk wrote:
schilling schilling2...@gmail.com wrote:
Thanks a lot.
More questions.
If you want to lower the load (and authentication latency) on your AD
servers then you might want to look at the following too:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html
First things first, did you get it all working? If not, start there.
When I say 'lower the load', all it does is reduce the number of EAP
packets from about 12 to 4 that are needed for a session resumption; but
also means you only need two LDAP lookups rather that 12. So your AD
load will go from 0.01 to 0.01 or something. I am bigging
up the numbers more than it is worth (although the latency bit is
possibly handy for roaming devices).
I am trying to follow your comment on this. I now realized we used to
run eDir and now converted to iplanet directory. Anyway, do I still
need to enable the compilation --with-edir option as stated below? My
guess is yes since otherwise, I could not call ldap in the post-auth
section in auth virtual server for eap.
##etc/raddb/modules/ldap
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
#edir_account_policy_check = no
What I want to do is just to check some attribute in our ldap server,
our structure is like the following:
# extended LDIF
#
# LDAPv3
# base ou=people,dc=foo,dc=edu with scope subtree
# filter: uid=sding
# requesting: ALL
#
# sding, People, foo.edu
dn: uid=sding,ou=People,dc=foo,dc=edu
ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active
uid: sding
The eDir bit's are probably not needed as you are using mschap with
those 'ntPassword' attributes. eDir has 'universal password' which is a
sales monkey's way of saying the password is available in plaintext if
required. Sounds like to me you do not currently have FreeRADIUS setup
working the way you want it to?
I would like to cache the following attribut/value in your example
cache_ldap-userdn.pm, so I can use these values as logic to assign
user to different VLANs. Can I do that in your pm?
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active
Looks like
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi Alexander,
I am trying to play with your configuration, basically I have a
virtual server call auth as your example, and modified my eap.conf for
peap to use auth.
what's the config:local.MY.realm? My debug showed
[suffix] Looking up realm foo.edu for User-Name = sd...@foo.edu^M
[suffix] Found realm foo.edu^M
[suffix] Adding Stripped-User-Name = sding^M
[suffix] Adding Realm = foo.edu^M
[suffix] Authentication realm is LOCAL.^M
++[suffix] returns ok^M
++? if (( outer.request:EAP-Message) Realm != %{config:local.MY.realm} )^M
?? Evaluating (outer.request:EAP-Message) - TRUE^M
expand: local.MY.realm - local.MY.realm^M
WARNING: No such configuration item local.MY.realm^M
expand: %{config:local.MY.realm} - ^M
? Evaluating (Realm != %{config:local.MY.realm} ) - TRUE^M
++? if (( outer.request:EAP-Message) Realm !=
%{config:local.MY.realm} ) - TRUE^M
++- entering if (( outer.request:EAP-Message) Realm !=
%{config:local.MY.realm} ) {...}^M
expand: Realm is '%{Realm}' on Inside - Realm is 'foo.edu' on Inside^M
+++[outer.reply] returns ok^M
+++[reject] returns reject^M
++- if (( outer.request:EAP-Message) Realm !=
%{config:local.MY.realm} ) returns reject^M
} # server auth^M
Thanks,
Schilling
On Fri, Jan 21, 2011 at 3:49 AM, Alexander Clouter a...@digriz.org.uk wrote:
schilling schilling2...@gmail.com wrote:
Where should I put the perl script? I already have a perl module for
another virtual server to use radscript.
I also tried unlang in post-auth, like
if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) {
update outer.reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff
}
}
I cannot recommend more *not* to do your authorisation in the inner
tunnel, and instead to pass it back on out. There are a number of
reasons, clarity including, but especially you then can make use of the
reject path...
Incase it helps, this is what we (a small-medium university in the
UK) do. In our eap block we set (we use TTLS, however it should be the
same for PEAP):
eap {
...
ttls {
...
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = auth
}
...
}
Then we have a 'auth' virtual server:
server auth {
authorize {
if ((outer.request:EAP-Message)) {
update outer.request {
User-Name := %{request:User-Name}
}
update reply {
User-Name := %{request:User-Name}
}
}
validate_username
suffix
if ((outer.request:EAP-Message) Realm !=
%{config:local.MY.realm}) {
update outer.reply {
Reply-Message := Realm is '%{Realm}' on
Inside
}
reject
}
# if the password is passed to us use it, otherwise yank it
from LDAP
if ((outer.request:Cleartext-Password)) {
update control {
Cleartext-Password :=
%{outer.request:Cleartext-Password}
}
}
else {
ldap-login
# some accounts are glitched and do not have a UP :(
if (ok !(control:Cleartext-Password)) {
update outer.reply {
Reply-Message := No eDirectory UP
}
reject
}
}
pap
chap
mschap
update reply {
Auth-Type := %{control:Auth-Type}
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MSCHAP {
mschap
}
}
}
We are 'blessed' with Novhell, so 'ldap-login' populated
Cleartext-Password from eDirectory if present, your approach would be
different (the interesting bit is if you set
'request:Cleartext-Password' in your outer layer before calling 'eap',
which is a handy hook for a NAGIOS RADIUS hook (letting you test
authentication with eapol_test[1] and remove the AD component from the
equation.
Once the 'auth' virtual server finishes, you will find in the outer
layer for *successful* authentications,
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
On 01/24/2011 08:35 PM, schilling wrote:
Hi Alexander,
I am trying to play with your configuration, basically I have a
virtual server call auth as your example, and modified my eap.conf for
peap to use auth.
what's the config:local.MY.realm? My debug showed
FreeRadius lets you write *any* config hierarchy object, and re-use it
elsewhere; in radiusd.conf (or maybe an include) put:
local {
MY {
realm = x.x
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote:
I am trying to play with your configuration, basically I have a
virtual server call auth as your example, and modified my eap.conf for
peap to use auth.
what's the config:local.MY.realm? My debug showed
Phil pretty much covered it (and in a neater manner I was not aware
could be used, but it is obvious now seeing it...), I put all the 'local
site' specific details into a single configuration file (including
SQL/LDAP binding credentials) so that if I want to give someone a copy
of my config, ll I have to really do is trim the 'local' file and know I
have not leaked anything important.
For example, just after '$INCLUDE clients.conf' in the main radiusd.conf
file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file
is:
local.MY.hostname = iodine.it.soas.ac.uk
local.MY.addr.v6= 2001:630:1b:6004:168c:9d91:127f:bb0c
local.MY.addr.v4= 212.219.138.70
local.MY.realm = soas.ac.uk
local.addr.v6 = 2001:630:1b:1001:624a::15bb
local.addr.v4 = 193.63.73.37
local.test.username = test-username
local.test.password = [ahem]
local.ldap.server.1 = ldap1.soas.ac.uk
local.ldap.server.2 = ldap2.soas.ac.uk
local.ldap.username = cn=cheese,ou=is,o=tasty
local.ldap.password = NOM
local.sql.server= sql.soas.ac.uk
local.sql.username = radius-username
local.sql.password = oh-so-very-secret
local.cert.password = omg-do-not-tell-anyones
[snipped]
$INCLUDE ${confdir}/LOCAL/templates.conf
$INCLUDE ${confdir}/LOCAL/policy.conf
$INCLUDE ${confdir}/LOCAL/proxy.conf
$INCLUDE ${confdir}/LOCAL/clients/
Cheers
--
Alexander Clouter
.sigmonster says: Riches cover a multitude of woes.
-- Menander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Thanks a lot.
More questions.
If you want to lower the load (and authentication latency) on your AD
servers then you might want to look at the following too:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html
I am trying to follow your comment on this. I now realized we used to
run eDir and now converted to iplanet directory. Anyway, do I still
need to enable the compilation --with-edir option as stated below? My
guess is yes since otherwise, I could not call ldap in the post-auth
section in auth virtual server for eap.
##etc/raddb/modules/ldap
# Un-comment the following to disable Novell
# eDirectory account policy check and intruder
# detection. This will work *only if* FreeRADIUS is
# configured to build with --with-edir option.
#
#edir_account_policy_check = no
What I want to do is just to check some attribute in our ldap server,
our structure is like the following:
# extended LDIF
#
# LDAPv3
# base ou=people,dc=foo,dc=edu with scope subtree
# filter: uid=sding
# requesting: ALL
#
# sding, People, foo.edu
dn: uid=sding,ou=People,dc=foo,dc=edu
ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active
uid: sding
I would like to cache the following attribut/value in your example
cache_ldap-userdn.pm, so I can use these values as logic to assign
user to different VLANs. Can I do that in your pm?
fooEduPSHRdeptName: Information Technology Service (ITS)
fooEduPSHRDepartmentNumber: 123456
fooEduEmployeeStatus: Active
employeeStatus: Active
Thanks,
Schilling
On Mon, Jan 24, 2011 at 4:38 PM, Alexander Clouter a...@digriz.org.uk wrote:
schilling schilling2...@gmail.com wrote:
I am trying to play with your configuration, basically I have a
virtual server call auth as your example, and modified my eap.conf for
peap to use auth.
what's the config:local.MY.realm? My debug showed
Phil pretty much covered it (and in a neater manner I was not aware
could be used, but it is obvious now seeing it...), I put all the 'local
site' specific details into a single configuration file (including
SQL/LDAP binding credentials) so that if I want to give someone a copy
of my config, ll I have to really do is trim the 'local' file and know I
have not leaked anything important.
For example, just after '$INCLUDE clients.conf' in the main radiusd.conf
file I add '$INCLUDE LOCAL/local.conf' and that LOCAL/local.conf file
is:
local.MY.hostname = iodine.it.soas.ac.uk
local.MY.addr.v6 = 2001:630:1b:6004:168c:9d91:127f:bb0c
local.MY.addr.v4 = 212.219.138.70
local.MY.realm = soas.ac.uk
local.addr.v6 = 2001:630:1b:1001:624a::15bb
local.addr.v4 = 193.63.73.37
local.test.username = test-username
local.test.password = [ahem]
local.ldap.server.1 = ldap1.soas.ac.uk
local.ldap.server.2 = ldap2.soas.ac.uk
local.ldap.username = cn=cheese,ou=is,o=tasty
local.ldap.password = NOM
local.sql.server = sql.soas.ac.uk
local.sql.username = radius-username
local.sql.password = oh-so-very-secret
local.cert.password = omg-do-not-tell-anyones
[snipped]
$INCLUDE ${confdir}/LOCAL/templates.conf
$INCLUDE ${confdir}/LOCAL/policy.conf
$INCLUDE ${confdir}/LOCAL/proxy.conf
$INCLUDE ${confdir}/LOCAL/clients/
Cheers
--
Alexander Clouter
.sigmonster says: Riches cover a multitude of woes.
-- Menander
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
I have the following questions for using perl though. Since I already
use LDAP or ntlm_auth for inner-tunnel mschapv0 authentication. Will
there any flag set so I can know whether LDAP or ntlm_auth is using
for mschapv0 authentication in perl script? Also if if I need to check
ldap/AD for certain attributes in perl script, Do I need to make
another call to them via LDAP in the perl module? Where should I put
the perl script in?
Many Thanks,
Schilling
On Thu, Jan 20, 2011 at 2:15 PM, Alan DeKok al...@deployingradius.com wrote:
schilling wrote:
Basically, I want to achieve
If (ldap authorization) {
if (ldap.employeeStatus = facstaff) {
REPLY{'Service-Type'} = Framed-User;
REPLY{'Tunnel-Type'} = VLAN;
REPLY{'Tunnel-Medium-Type'} = IEEE-802;
REPLY{'Tunnel-Private-Group-Id'} = facstaff;
} else { # no ldap.employeeStatus attribute or ldap.employeeStatus
You can put pretty much that into a Perl script, or into unlang.
What's the easiest way to accomplish this? unlang? perl module? Where to
start?
I'd write a Perl script first.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote:
Where should I put the perl script? I already have a perl module for
another virtual server to use radscript.
I also tried unlang in post-auth, like
if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) {
update outer.reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff
}
}
I cannot recommend more *not* to do your authorisation in the inner
tunnel, and instead to pass it back on out. There are a number of
reasons, clarity including, but especially you then can make use of the
reject path...
Incase it helps, this is what we (a small-medium university in the
UK) do. In our eap block we set (we use TTLS, however it should be the
same for PEAP):
eap {
...
ttls {
...
copy_request_to_tunnel = no
use_tunneled_reply = yes
virtual_server = auth
}
...
}
Then we have a 'auth' virtual server:
server auth {
authorize {
if ((outer.request:EAP-Message)) {
update outer.request {
User-Name := %{request:User-Name}
}
update reply {
User-Name := %{request:User-Name}
}
}
validate_username
suffix
if ((outer.request:EAP-Message) Realm !=
%{config:local.MY.realm}) {
update outer.reply {
Reply-Message := Realm is '%{Realm}' on Inside
}
reject
}
# if the password is passed to us use it, otherwise yank it
from LDAP
if ((outer.request:Cleartext-Password)) {
update control {
Cleartext-Password :=
%{outer.request:Cleartext-Password}
}
}
else {
ldap-login
# some accounts are glitched and do not have a UP :(
if (ok !(control:Cleartext-Password)) {
update outer.reply {
Reply-Message := No eDirectory UP
}
reject
}
}
pap
chap
mschap
update reply {
Auth-Type := %{control:Auth-Type}
}
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MSCHAP {
mschap
}
}
}
We are 'blessed' with Novhell, so 'ldap-login' populated
Cleartext-Password from eDirectory if present, your approach would be
different (the interesting bit is if you set
'request:Cleartext-Password' in your outer layer before calling 'eap',
which is a handy hook for a NAGIOS RADIUS hook (letting you test
authentication with eapol_test[1] and remove the AD component from the
equation.
Once the 'auth' virtual server finishes, you will find in the outer
layer for *successful* authentications, 'reply:User-Name' is the inner
username whilst for *failure* authentications you want to use
'request:User-Name'.
I did map something to fooEmployeeStatus in ldap.attrmaps
Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/
fooEmployeeStatus =~ /active/i )
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors
parsing post-auth section.
How can I reference User-Name in post-auth section of inner-tunnel?
In your outer post-auth section then I would recommend the following
unlang (prime the defaults, and use the attributes to fixup what you
want the final result to be):
post-auth {
...
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
# Cisco only support a max of 65535
Session-Timeout := 64800
Acct-Interim-Interval := 3600
}
if ( User-Name =~ /@/ (fooEmployeeStatus) ) {
update reply {
Tunnel-Private-Group-Id := facstaff
}
}
...
}
If you want to lower the load (and authentication latency) on your AD
servers then you might want to look at the
dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi All,
The group helped me configure the freeradius server to do mschapv2
against ldap w/ ntPassword if user sign on with usern...@foo.edu, and
to do mschapv2 against AD w/ ntlm if user just sign on with username.
Now I want to go one more step further - passing on some attributes
back to NAS. Basically, I want to achieve
If (ldap authorization) {
if (ldap.employeeStatus = facstaff) {
REPLY{'Service-Type'}= Framed-User;
REPLY{'Tunnel-Type'} = VLAN;
REPLY{'Tunnel-Medium-Type'} = IEEE-802;
REPLY{'Tunnel-Private-Group-Id'} = facstaff;
} else { # no ldap.employeeStatus attribute or ldap.employeeStatus
!= facstaff
REPLY{'Service-Type'}= Framed-User;
REPLY{'Tunnel-Type'} = VLAN;
REPLY{'Tunnel-Medium-Type'} = IEEE-802;
REPLY{'Tunnel-Private-Group-Id'} = student;
}
}else { # ntlm authentication
REPLY{'Service-Type'}= Framed-User;
REPLY{'Tunnel-Type'} = VLAN;
REPLY{'Tunnel-Medium-Type'} = IEEE-802;
REPLY{'Tunnel-Private-Group-Id'} = facstaff;
}
What's the easiest way to accomplish this? unlang? perl module? Where to start?
Thanks,
Schilling
fromschilling schilling2...@gmail.com
to FreeRadius users mailing list freeradius-users@lists.freeradius.org
dateTue, Dec 14, 2010 at 3:14 PM
subject Re: One virtual server for MS-chapv2 against AD w/ ntlm_auth,
the other one against ldap ntpasswd hash possible?
mailed-by gmail.com
Got the whole setup working. So basically if users sign on with
usern...@foo.edu with eap, they will be sent to ldap w/ ntpassword
authorization. If users sign on with username only with eap, they will
be sent to active directory w/ ntlm authentication.
configuration changes are the following:
etc/raddb/proxy.conf add
realm foo.edu {
}
realm NULL {
}
/etc/raddb/site-enabled/inner-tunnel at the ldap line in authorize section add
switch %{Realm} {
case foo.edu {
ldap
#see /etc/raddb/module/mschap if ntpassword available,
then do not use
#NTLM_auth
update control {
MS-CHAP-Use-NTLM-Auth := NO
}
case NULL {
mschap
}
}
etc/raddb/module/mschap, etc/raddb/module/ntlm are all from integrate
with Active Directory howto.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling wrote:
Basically, I want to achieve
If (ldap authorization) {
if (ldap.employeeStatus = facstaff) {
REPLY{'Service-Type'}= Framed-User;
REPLY{'Tunnel-Type'} = VLAN;
REPLY{'Tunnel-Medium-Type'} = IEEE-802;
REPLY{'Tunnel-Private-Group-Id'} = facstaff;
} else { # no ldap.employeeStatus attribute or ldap.employeeStatus
You can put pretty much that into a Perl script, or into unlang.
What's the easiest way to accomplish this? unlang? perl module? Where to
start?
I'd write a Perl script first.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Where should I put the perl script? I already have a perl module for
another virtual server to use radscript.
I also tried unlang in post-auth, like
if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) {
update outer.reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff
}
}
I did map something to fooEmployeeStatus in ldap.attrmaps
Bare %{...} is invalid in condition at: %{User-Name} =~ /\@/
fooEmployeeStatus =~ /active/i )
/home/sding/opt/etc/raddb/sites-enabled/inner-tunnel[276]: Errors
parsing post-auth section.
How can I reference User-Name in post-auth section of inner-tunnel?
Thanks,
Schilling
On Thu, Jan 20, 2011 at 2:15 PM, Alan DeKok al...@deployingradius.com wrote:
schilling wrote:
Basically, I want to achieve
If (ldap authorization) {
if (ldap.employeeStatus = facstaff) {
REPLY{'Service-Type'} = Framed-User;
REPLY{'Tunnel-Type'} = VLAN;
REPLY{'Tunnel-Medium-Type'} = IEEE-802;
REPLY{'Tunnel-Private-Group-Id'} = facstaff;
} else { # no ldap.employeeStatus attribute or ldap.employeeStatus
You can put pretty much that into a Perl script, or into unlang.
What's the easiest way to accomplish this? unlang? perl module? Where to
start?
I'd write a Perl script first.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
Hi,
Where should I put the perl script? I already have a perl module for
another virtual server to use radscript.
I also tried unlang in post-auth, like
if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) {
update outer.reply {
Service-Type = Framed-User
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = facstaff
}
}
if ( %{User-Name} =~ /\@/ fooEmployeeStatus =~ /active/i ) {
encase in quotesdont have bare as per debug error
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment on NAS
Hi the list I'm sure this is NAS question, not Freeradius' question. But perhaps somebody on the list had experienced this issue. Here is my problem. I setup : - A Freeradius configuration EAP/PEAP with user credentials stored in LDAP directory. - A NAS zcomax ag3621 wireless access point with VLAN 802.1q support. on this access point, i have one SSID associated by default with guest VLAN 30. meaning if a user failed authentication, he will still connected but on this VLAN with reduced privileges. However radius return the following Access-accept packet to my NAS, Sending Access-Accept of id 81 to 192.168.32.88 port 1032 Tunnel-Private-Group-Id:0 = 60 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN User-Name = user1 The access point just put user1 on VLAN 30. My NAS ignore the VLAN ID 60 (Tunnel-Private-Group-Id:0 = 60) contained in the Access-Accept. I try with two different models of Access point (zcomax and cisco) My question: Is there a particular config to do to ask the NAS to consider the VLAN ID contained in the Access-Accept packet ? Thanks for your answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment on NAS
Attou eric wrote: The access point just put user1 on VLAN 30. My NAS ignore the VLAN ID 60 (Tunnel-Private-Group-Id:0 = 60) Then the NAS is broken. contained in the Access-Accept. I try with two different models of Access point (zcomax and cisco) My question: Is there a particular config to do to ask the NAS to consider the VLAN ID contained in the Access-Accept packet ? See the NAS documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN Assignment based on a certificate, not a user.
Hello! Some time ago Alan mentioned that the new 2.1.10 version will support such a thing. However, I can't seem to find it in the docs. Can anyone shed some light on how that can be done with the new functionality? - Вижте последните новини във Vesti.bg! http://www.vesti.bg/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN Assignment based on a certificate, not a user.
Бисер Миланов wrote: Hello! Some time ago Alan mentioned that the new 2.1.10 version will support such a thing. However, I can't seem to find it in the docs. Can anyone shed some light on how that can be done with the new functionality? Read the ChangeLog. There are new attributes which contain information from the certificate. Use those as part of a policy to determine VLAN assignment. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
[ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
ldapdev.int-evry.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword - NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword - LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation - User-Category = employee
Two issues; first, as above you're adding the User-Category item from
LDAP into the reply list, but the files syntax doesn't (can't) match
items in the reply this. This:
DEFAULT User-Category == employee
means match all request with the attribute User-Category == employee in
the *request* items
Secondly, I think you're running LDAP after files, so even if it could
match, it would not.
Try something like this in sites-available/inner-tunnel:
authorize {
...
ldap
if (reply:User-Category == employee) {
update reply {
Tunnel-Private-Group-Id := 1234
}
}
elsif (reply:User-Category == ...) {
}
}
Or, modify your ldap.attrmap to put the User-Category into the request
items (assuming your NAS doesn't need it) then move the files module
after the ldap one.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
thanks for your replay
here what i did
in the ldap.attrmap i put
checkItem User-Category eduPersonPrimaryAffiliation
in the user file i did
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Tunnel-Private-Group-Id = 902
DEFAULT User-Category == employee
Reply-Message = Your a member of the employee Group,
Tunnel-Private-Group-Id = 903
in the inner-tunnel file i have
authorize {
chap
mschap
uni
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
i got the following logs
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for doutrele
[ldap] expand: %{Stripped-User-Name} - doutrele
[ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -
(uid=doutrele)
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] eduPersonPrimaryAffiliation - User-Category == employee
[ldap] sambaNtPassword - NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword - LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
WARNING: No known good password was found in LDAP. Are you sure that
the user is configured correctly?
[ldap] user doutrele authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
[files] users: Matched entry DEFAULT at line 166
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[eap] Freeing handler
++[eap] returns ok
..
THe line 166 in my users file is these ones
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
and i don't match the following entries
DEFAULT User-Category == employee
Reply-Message = Your a member of the employee Group,
Tunnel-Private-Group-Id = 903
and i really don't know why
Le 16/09/2010 09:44, Phil Mayers a écrit :
[ldap] expand: dc=int-evry,dc=fr - dc=int-evry,dc=fr
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldapdev.int-evry.fr:389, authentication 0
[ldap] bind as cn=admin,dc=int-evry,dc=fr/admldap to
ldapdev.int-evry.fr:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in dc=int-evry,dc=fr, with filter (uid=doutrele)
[ldap] looking for check items in directory...
[ldap] sambaNtPassword - NT-Password ==
0x3846343134354531463530334232353337443430363846343942363633434143
[ldap] sambaLmPassword - LM-Password ==
0x4434413632394242394536303843323438423045413541374446313335423033
[ldap] looking for reply items in directory...
[ldap] eduPersonPrimaryAffiliation - User-Category = employee
Two issues; first, as above you're adding the User-Category item from
LDAP into the reply list, but the files syntax doesn't (can't) match
items in the reply this. This:
DEFAULT User-Category == employee
means match all request with the attribute User-Category == employee in
the *request* items
Secondly, I think you're running LDAP after files, so even if it could
match, it would not.
Try something like this in sites-available/inner-tunnel:
authorize {
...
ldap
if (reply:User-Category == employee) {
update reply {
Tunnel-Private-Group-Id := 1234
}
}
elsif (reply:User-Category == ...) {
}
}
Or, modify your ldap.attrmap to put the User-Category into the request
items (assuming your NAS doesn't need it) then move the files module
after the ldap one.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Hi alexander
Le 16/09/2010 00:31, Alexander Clouter a écrit :
Remember that the 'inner-auth' virtual server is a *unique* instance
to your outer layer so 'User-Category' might be defined but only on the
outside whilst it looks like you are calling 'files' *inside*.
Cheers
Well I understand what you mean but i have some difficulties to traduce
that in my configuration file.
Yes i m have in my inner-tunnel file the lines
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
but how can i call it outside?
i m a bit lost
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
well i though i have found the answer
i m not sure if it s the right way to do
in the section of peap of the eap file i had
use_tunneled_reply = yes
Le 16/09/2010 13:22, Eric Doutreleau a écrit :
Hi alexander
Le 16/09/2010 00:31, Alexander Clouter a écrit :
Remember that the 'inner-auth' virtual server is a *unique* instance
to your outer layer so 'User-Category' might be defined but only on the
outside whilst it looks like you are calling 'files' *inside*.
Cheers
Well I understand what you mean but i have some difficulties to traduce
that in my configuration file.
Yes i m have in my inner-tunnel file the lines
authorize {
chap
mschap
unix
suffix
update control {
Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
ldap
files
expiration
logintime
pap
}
but how can i call it outside?
i m a bit lost
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
On 16/09/10 10:16, Eric Doutreleau wrote:
thanks for your replay
here what i did
in the ldap.attrmap i put
checkItem User-Category eduPersonPrimaryAffiliation
checkItem means put the attribute into the check/config items list.
Looking at the source code, I see that rlm_ldap can't update the request
item list.
in the user file i did
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Tunnel-Private-Group-Id = 902
This means match User-Category in the request items list, which is not
the list you've put it in.
files syntax cannot do comparisons against check/config or reply
items, and LDAP can only put items into check/config or reply. You will
therefore have to use an unlang syntax as per my previous email:
authorize {
...
ldap
if (control:User-Category == ...) {
...
}
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Le 16/09/2010 15:34, Phil Mayers a écrit :
On 16/09/10 10:16, Eric Doutreleau wrote:
thanks for your replay
here what i did
in the ldap.attrmap i put
checkItem User-Category eduPersonPrimaryAffiliation
checkItem means put the attribute into the check/config items list.
Looking at the source code, I see that rlm_ldap can't update the request
item list.
in the user file i did
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901,
Fall-Through = Yes
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Tunnel-Private-Group-Id = 902
This means match User-Category in the request items list, which is not
the list you've put it in.
files syntax cannot do comparisons against check/config or reply
items, and LDAP can only put items into check/config or reply. You will
therefore have to use an unlang syntax as per my previous email:
authorize {
...
ldap
if (control:User-Category == ...) {
...
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks Phil that s what i will do
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Hi, vlan assignment based on vlan. here what i have in my users file DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 902, Fall-Through = No DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 903, Fall-Through = No your example was employee, which is the second on this list. just a hunch but I think you need to have Fall-Through = Yes for DEFAULT entries to fall through to other DEFAULT options. the doc: # Note that DEFAULT entries can also Fall-Through (see first entry). # A name-value pair from a DEFAULT entry will _NEVER_ override # an already existing name-value pair. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problems with dynamic vlan assignment
Eric Doutreleau eric.doutrel...@it-sudparis.eu wrote: i m using freeradius 2.1.9 and i have some problems with making dynamic vlan assignment based on vlan. here what i have in my users file DEFAULT User-Category == student Reply-Message = Your a member of the student Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 902, Fall-Through = No DEFAULT User-Category == employee Reply-Message = Your a member of the employee Group, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 903, Fall-Through = No Eugh, do not do this, use the following sort of thing instead: DEFAULT Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id = 901, 'unauthorised' Fall-Through = Yes DEFAULT User-Category == student Tunnel-Private-Group-Id = 902 'student' DEFAULT User-Category == employee Tunnel-Private-Group-Id = 903 'employee' But as you can see in the following debug file my user is authenticated his radius item User-Category is employee but he never get the attributes of vlan in the request Looks like you need to flip the order of 'files' and 'eap' around as it is your eap (from the PEAP method) module that sets 'User-Category' however you are calling 'files' *before* User-Category is set. Remember that the 'inner-auth' virtual server is a *unique* instance to your outer layer so 'User-Category' might be defined but only on the outside whilst it looks like you are calling 'files' *inside*. Cheers -- Alexander Clouter .sigmonster says: Preserve Wildlife! Throw a party today! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
Thank you very much for your help! Now it works beautifully! My next step is to integrate FreeRadius with my Windows domain to use Windows AD for authentication. I am sure I will more questions for you guys! http://deployingradius.com/documents/configuration/active_directory.html Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
Hey Ivan, Thank you very much for your help! Now it works beautifully! My next step is to integrate FreeRadius with my Windows domain to use Windows AD for authentication. I am sure I will more questions for you guys! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of t...@kalik.net Sent: Thursday, December 17, 2009 6:53 PM To: FreeRadius users mailing list Subject: Re: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!! I have figured out how to configure attributes. Here is my user file: test Cleartext-Password := test Tunnel-Type = 16777229, Tunnel-Medium-Type = 16777222, Tunnel-Private-Group-ID = 3 When I use MD5-Challenge, I got put in the right vlan I wanted. However if I choose PEAP, I can be authenticated but the vlan thing won't work. I checked the Radius -X output very carefully and I don't see the server is sending any attributes, as it did when the MD5 is used... I chose different types of authentication on the windows box. It seems I don't have to change any configuration on the radius server for both authentications to work. I will attach both radius -X output for both types. You have those attributes in the tunneled reply. You should enable use_tunnled_reply in peap section of eap.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!
I have figured out how to configure attributes. Here is my user file: test Cleartext-Password := test Tunnel-Type = 16777229, Tunnel-Medium-Type = 16777222, Tunnel-Private-Group-ID = 3 When I use MD5-Challenge, I got put in the right vlan I wanted. However if I choose PEAP, I can be authenticated but the vlan thing won't work. I checked the Radius -X output very carefully and I don't see the server is sending any attributes, as it did when the MD5 is used... I chose different types of authentication on the windows box. It seems I don't have to change any configuration on the radius server for both authentications to work. I will attach both radius -X output for both types. You have those attributes in the tunneled reply. You should enable use_tunnled_reply in peap section of eap.conf. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unreliable Dynamic VLAN Assignment?
Hi, We're having a bit of a problem with FreeRADIUS not always including VLAN information in access-accept packets; I've not been able as yet to establish what the cause is so I thought I'd throw it out to the list if there's something others have come across. Needless to say our testing through the summer had not highlighted this issue, but now we have 3000 students trying to connect it's become apparent. A bit of info, we're seeing this issue in both FR 2.1.1 and 2.1.7, and our NASes are Cisco WiSM. Users' VLAN info is stored in the SQL usergroup table. I have an sql.athorize statement in the Post-Auth section of both the default (outer), and inner-tunnel conf files. Initially I thought it was only clients with an anonymised outer identity that were having this issue, which seemed plausible as the sql.athourize in default would see the outer and fail to find it in sql (though wouldn't explain why it works sometimes); but it appears not to just these users, as we're now seeing users who are not using anon outers having the same issue. Another thought was that fast-reauth could be the issue, in that somehow a fast-reauth request was not doing a Post-Auth sql.authorize and therefore not sending back the VLAN info? I fully expect it's a config issue, but any insight would be gratefully received. Currently I do not have CCKM enabled on the controllers, but for some time I have been considering enabling this to take some load off RADIUS, and also wondered if it would help this current problem. Is there anything to be wary of with CCKM? Many thanks, Jezz Palmer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
The full log may be viewed at: http://dpaste.com/112610/ Also, I have posted my eap.conf here: http://dpaste.com/112615/ and radius.conf here: http://dpaste.com/112616/ and I don't think anyone would need it, but here is clients.conf as well: http://dpaste.com/112618/ You have posted everything apart from the most important thing - radiusd -X debug. I can see those tunnel attributes on Cisco debug but not in the Access-Accept packet (the one with MPPE keys). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Here is the output of a client associating immediately after the server starts: http://dpaste.com/112843/ Also, I am new to IOS, and there was no debug aaa on command. If you look closely at the top of the file I previously posted, I turned on about half of the options I thought relevant to debugging to aaa. I don't know if this would have an effect one showing what was relevant. I really appreciate the help everyone has given thus far. -William On Sun, Jan 25, 2009 at 04:23, t...@kalik.net wrote: The full log may be viewed at: http://dpaste.com/112610/ Also, I have posted my eap.conf here: http://dpaste.com/112615/ and radius.conf here: http://dpaste.com/112616/ and I don't think anyone would need it, but here is clients.conf as well: http://dpaste.com/112618/ You have posted everything apart from the most important thing - radiusd -X debug. I can see those tunnel attributes on Cisco debug but not in the Access-Accept packet (the one with MPPE keys). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
William Graeber wrote:
Here is the output of a client associating immediately after the
server starts: http://dpaste.com/112843/
You're not assigning the attributes that tell the server to put the
user into a VLAN.
Are you using the *default* configuration files in 2.0.5? It looks
like you're not, because editing the users file *should* get it to work.
It looks like you need to either:
- set use_tunneled_reply = yes in eap.conf, peap{} sub-section
- add the set VLAN configuration to the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have modified eap.conf and added use_tunneled_reply = yes in the
peap section. I have previously tried this, and obtained the same
results. Whenever a client tries to login, they get cycled from
authenticating/connecting very quickly. I've posted an example output
from a radius debug: http://dpaste.com/112927/
Could you expand on the set VLAN option in the post-auth section? I
have looked around a bit, but haven't found much of use.
Also, I may try a vanilla install of FreeRADIUS, as I'm using the
packaged version from the OpenBSD ports tree. There are a few config
discrepancies, and I don't understand enough to know how they are
having an effect.
Thanks again,
-William
On Sun, Jan 25, 2009 at 12:03, Alan DeKok al...@deployingradius.com wrote:
William Graeber wrote:
Here is the output of a client associating immediately after the
server starts: http://dpaste.com/112843/
You're not assigning the attributes that tell the server to put the
user into a VLAN.
Are you using the *default* configuration files in 2.0.5? It looks
like you're not, because editing the users file *should* get it to work.
It looks like you need to either:
- set use_tunneled_reply = yes in eap.conf, peap{} sub-section
- add the set VLAN configuration to the post-auth section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have modified eap.conf and added use_tunneled_reply = yes in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ You are getting an Access-Accept with VLAN attributes now: Sending Access-Accept of id 199 to 10.0.0.254 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 100 User-Name = wgraeber MS-MPPE-Recv-Key = 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 7bb4c52ab58f1 MS-MPPE-Send-Key = 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 59d26a1100bfb EAP-Message = 0x030a0004 Message-Authenticator = 0x But AP is unhappy. Do debug dot11 aaa and see what is it complaining about. It's missing something (probably Service-Type). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Here is the output of Cisco debugging with use_tunneled_reply = yes: http://dpaste.com/113022/ Again, I really appreciate your help. -William On Sun, Jan 25, 2009 at 18:29, t...@kalik.net wrote: I have modified eap.conf and added use_tunneled_reply = yes in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ You are getting an Access-Accept with VLAN attributes now: Sending Access-Accept of id 199 to 10.0.0.254 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 100 User-Name = wgraeber MS-MPPE-Recv-Key = 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 7bb4c52ab58f1 MS-MPPE-Send-Key = 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 59d26a1100bfb EAP-Message = 0x030a0004 Message-Authenticator = 0x But AP is unhappy. Do debug dot11 aaa and see what is it complaining about. It's missing something (probably Service-Type). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I may have solved my own problem - I have contradicting encryption settings for each VLAN on the Cisco access point. I was testing the setup by bumping the user from VLAN 200 (WPA-required) to VLAN 100 (open access). I'll give this a shot and post my results. -William On Sun, Jan 25, 2009 at 22:14, William Graeber swi...@swilly.tk wrote: Here is the output of Cisco debugging with use_tunneled_reply = yes: http://dpaste.com/113022/ Again, I really appreciate your help. -William On Sun, Jan 25, 2009 at 18:29, t...@kalik.net wrote: I have modified eap.conf and added use_tunneled_reply = yes in the peap section. I have previously tried this, and obtained the same results. Whenever a client tries to login, they get cycled from authenticating/connecting very quickly. I've posted an example output from a radius debug: http://dpaste.com/112927/ You are getting an Access-Accept with VLAN attributes now: Sending Access-Accept of id 199 to 10.0.0.254 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Type:0 = VLAN Tunnel-Private-Group-Id:0 = 100 User-Name = wgraeber MS-MPPE-Recv-Key = 0x8d9a0e99e52c18b817039f9d503bbd00d66c3cf3927d2528460 7bb4c52ab58f1 MS-MPPE-Send-Key = 0x5b07ed87b3ddd6c9fe6186c9443d80cca1b7e24f393f854f585 59d26a1100bfb EAP-Message = 0x030a0004 Message-Authenticator = 0x But AP is unhappy. Do debug dot11 aaa and see what is it complaining about. It's missing something (probably Service-Type). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- William M. Graeber Furman University PMB 27335 3300 Poinsett Highway Greenville, SC 29613 864 905 9533 (Mobile) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have resolved the issue. I created a new VLAN with matching encryption settings to the default VLAN. Thank you all for helping! I have become much more familiar with the Cisco debugging procedure in the process. -William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Tom was correct, and I have changed the Tunnel-Medium-Type to 6. The corresponding radtest output shows it is correctly translated to IEEE-802. However, I am still not bumped into the correct VLAN. In the Cisco debug logs, I see these lines: *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6C0 0 0001 tunnel-medium-type(336) 4 ALL_802 *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6D4 0 0001 tunnel-type(344) 4 VLAN *Mar 1 00:09:30.630: AAA/ATTR(): add attr: 0125E6E8 0 0009 tunnel-private-group-id(297) 3 100 *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6C0 0 0001 tunnel-medium-type(336) 4 ALL_802 *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6D4 0 0001 tunnel-type(344) 4 VLAN *Mar 1 00:09:30.634: AAA/ATTR(000B): del attr: 0125E6E8 0 0009 tunnel-private-group-id(297) 3 100 The full log may be viewed at: http://dpaste.com/112610/ Also, I have posted my eap.conf here: http://dpaste.com/112615/ and radius.conf here: http://dpaste.com/112616/ and I don't think anyone would need it, but here is clients.conf as well: http://dpaste.com/112618/ I am using FreeRADIUS version 2.0.5 on OpenBSD 4.4. I'm sure that there is something simple that I am missing, but I'm new to both the RADIUS protocol and Cisco access points. I luckily was able to score several 1130ag's cheap for personal use during an auction from the presidential campaign. Thanks again, William On Fri, Jan 23, 2009 at 11:30, t...@kalik.net wrote: I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 The users are just directed to their original VLAN instead of this portion overriding it. When I try to authenticate to the access point with radtest, I get the following output: # radtest wgraeber XXX 127.0.0.1 10 XXX Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = wgraeber User-Password = XXX NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 100 Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id attributes in the console when actually authenticating and watching the output of radiusd -X on another machine. The access point *should* support this out of the box according to the Cisco specs. This is my first FreeRADIUS implementation, so I don't know if I'm missing any magic options. You have done what you were suposed to on freeradius. Do debug aaa on Cisco and see what has happened to the attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco Aironet 1130ag dynamic VLAN assignment
I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 The users are just directed to their original VLAN instead of this portion overriding it. When I try to authenticate to the access point with radtest, I get the following output: # radtest wgraeber XXX 127.0.0.1 10 XXX Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = wgraeber User-Password = XXX NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 100 Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id attributes in the console when actually authenticating and watching the output of radiusd -X on another machine. The access point *should* support this out of the box according to the Cisco specs. This is my first FreeRADIUS implementation, so I don't know if I'm missing any magic options. Also, I have searched the archives and tried several suggestions to no avail (in eap.conf, copy_request_to_tunnel and use_tunneled_reply under the PEAP segment). I will happily post more configuration options / debug info if needed. Thanks in advance, William - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Hi, I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 those are the attributes you want. Tunnel-Medium-Type = IEEE-802 Tunnel-Type = VLAN Tunnel-Private-Group-Id = 100 a slight difference. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 The users are just directed to their original VLAN instead of this portion overriding it. When I try to authenticate to the access point with radtest, I get the following output: # radtest wgraeber XXX 127.0.0.1 10 XXX Sending Access-Request of id 42 to 127.0.0.1 port 1812 User-Name = wgraeber User-Password = XXX NAS-IP-Address = 127.0.0.1 NAS-Port = 10 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 100 Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id attributes in the console when actually authenticating and watching the output of radiusd -X on another machine. The access point *should* support this out of the box according to the Cisco specs. This is my first FreeRADIUS implementation, so I don't know if I'm missing any magic options. You have done what you were suposed to on freeradius. Do debug aaa on Cisco and see what has happened to the attributes. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco Aironet 1130ag dynamic VLAN assignment
Date: Fri, 23 Jan 2009 11:16:55 -0500 From: William Graeber swi...@swilly.tk Subject: Cisco Aironet 1130ag dynamic VLAN assignment To: freeradius-users@lists.freeradius.org Message-ID: 1d7de5e60901230816j64dec24dhe90883e276e48...@mail.gmail.com Content-Type: text/plain; charset=UTF-8 I have been having trouble recently with getting dynamic VLAN assignment working on my Cisco AP. Clients are successfully authenticating with FreeRADIUS. However, they do not seem to be picking up extra attributes from the users file (below is the relevant portion of it). wgraeberNT-Password := XXX Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 100 Tunnel-Medium-Type = IEEE-802, ^ This gets looked up in the dictionaries and the corresponding value sent in the message (in this case 6, I believe). Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dell 6248 and Dynamic VLAN Assignment
Talk to the vendor? Sent from my iPhone On 31 Oct 2008, at 01:20, Luke [EMAIL PROTECTED] wrote: Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dell 6248 and Dynamic VLAN Assignment
Dictionary value for that Tunnel-Medium-Type is IEEE-802. Ivan Kalik Kalik Informatika ISP Dana 31/10/2008, Luke [EMAIL PROTECTED] piše: Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dell 6248 and Dynamic VLAN Assignment
Hi :) I'm trying to get dynamic VLAN assignment to work with my Dell 6248, which they officially support as of firmware revision 2.1.0.13. I'm using freeradius version 2.1.1 I think I'm sending the information the correct way from freeradius, to wit: DEFAULT Auth-Type == MS-CHAP Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 3 (this is in my users file) When watching the debug output from radiusd -X, I can see it sending these messages back to the Dell switch. However, the dell switch is not correctly assigning the VLAN. The information from the release notes from Dell is as follows: 802.1x Option 81 The Tunnel Attribute indicates the tunneling protocol to be used or the tunneling protocol in use at the Authenticator. In particular, it may be desirable to allow a supplicant (MAC based) or port (Port Based) to be placed into a particular Virtual LAN (VLAN) based on the result of the authentication. To achieve the distribution of the VLAN id to the supplicant, the tunnel attribute can be used. For use in VLAN assignment, the following tunnel attributes are used: Tunnel-Type=VLAN (13) Tunnel-Medium-Type=802 Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a value between 1 and 4093. The NAS-IP Attribute indicates the identifying IP Address of the NAS (Switch or Access Point) which is requesting authentication of the user, and should be unique to the NAS within the scope of the RADIUS server. NAS-IP-Address is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier must be present in an Access-Request packet. I can see from my Dell switch that this stuff is enabled, but for some reason it's still not setting the VLAN. Does anyone have any suggestions? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang to overcome cisco zero tag issue and for dynamic vlan assignment
[EMAIL PROTECTED] wrote:
We'd like to setup the following:
A workstation is booted, the supplicant asks for the credentials, the cisco
switch pa
sses the credentials to a freeradius server, freeradius authenticates the user to an
edirectory ldap server, freeradius decides which Tunnel-Private-Group-Id to send bac
k to the switch to place the user into the correct VLAN.
The authentication/authorization works fine. The cisco switch accepts the
returned VL
AN info if we 'hard code it into the users files such as with:
DEFAULT
Tunnel-Private-Group-ID:1 := 901
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802
We attempted to make the configuration more generic by setting
Tunnel-Private-Group-I
D equal to an LDAP attribute in ldap.attrmap. This would automatically associate the
VLAN ID w/ the user.
replyItem Tunnel-Private-Group-ID ourldapattribforthevlan
That didn't work because freeradius wasn't associating a tag with the
attribute(or wa
s setting it to zero when responding to the switch. A wireshark capture
confirmed the
0 tag. We attempted to add a :1 after Tunnel-Private-Group-ID, but that didn't
pan o
ut either.
We then attempted to use unlang in the users file to accomplish the same thing.
(Tunn
unlang doesn't live in the users file; it lives in the config file, like so:
server {
authorize {
preprocess
ldap
update reply {
Tunnel-Private-Group-Id:1 := %{reply:Tunnel-Client-Endpoint}
}
}
}
el-Client-Endpoint was added to ldap.attrmap as dummy variable to hold the
'ourldapat
tribforthevlan' from LDAP)
DEFAULT
Tunnel-Private-Group-ID:1 := `%{reply:Tunnel-Client-Endpoint}`,
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802
This isn't unlang - it's just a plain files module entry.
With this configuration, we tried countless combinations of backticks, single
quotes,
and double quotes. The best response we could send back to the switch was:
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 =
It looks to me like the files module was running before the ldap module.
Has anyone else come across the issue with Cisco not dealing w/ 0 tags? Is
there a wa
I have not. RFC2868 seems pretty clear that a 0 tag is permitted. I've
used vlan assignment with a cisco (formarly Airespace) WISM and it will
take a 0 tag.
What platform IOS version are you on?
y to use unlang to pull in the variables to be used in the users file?
As I say, unlang doesn't run in the users file - think of it as
conditional branching and so forth for the config file.
Thank you for taking the time to read this. After a couple of days of
searching, we s
till haven't come up w/ the correct search terms for google.
Thank you,
Mike Coles
--
This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com
http://www.opensubscriber.com/messages/freeradius-users@lists.freeradius.org/topic.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang to overcome cisco zero tag issue and for dynamic vlan assignment
We'd like to setup the following:
A workstation is booted, the supplicant asks for the credentials, the cisco
switch pa
sses the credentials to a freeradius server, freeradius authenticates the user
to an
edirectory ldap server, freeradius decides which Tunnel-Private-Group-Id to
send bac
k to the switch to place the user into the correct VLAN.
The authentication/authorization works fine. The cisco switch accepts the
returned VL
AN info if we 'hard code it into the users files such as with:
DEFAULT
Tunnel-Private-Group-ID:1 := 901
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802
We attempted to make the configuration more generic by setting
Tunnel-Private-Group-I
D equal to an LDAP attribute in ldap.attrmap. This would automatically
associate the
VLAN ID w/ the user.
replyItem Tunnel-Private-Group-ID ourldapattribforthevlan
That didn't work because freeradius wasn't associating a tag with the
attribute(or wa
s setting it to zero when responding to the switch. A wireshark capture
confirmed the
0 tag. We attempted to add a :1 after Tunnel-Private-Group-ID, but that didn't
pan o
ut either.
We then attempted to use unlang in the users file to accomplish the same thing.
(Tunn
el-Client-Endpoint was added to ldap.attrmap as dummy variable to hold the
'ourldapat
tribforthevlan' from LDAP)
DEFAULT
Tunnel-Private-Group-ID:1 := `%{reply:Tunnel-Client-Endpoint}`,
Tunnel-Type:1 = VLAN,
Tunnel-Medium-Type:1 = IEEE-802
With this configuration, we tried countless combinations of backticks, single
quotes,
and double quotes. The best response we could send back to the switch was:
Tunnel-Type:1 = VLAN
Tunnel-Medium-Type:1 = IEEE-802
Tunnel-Private-Group-Id:1 =
Has anyone else come across the issue with Cisco not dealing w/ 0 tags? Is
there a wa
y to use unlang to pull in the variables to be used in the users file?
Thank you for taking the time to read this. After a couple of days of
searching, we s
till haven't come up w/ the correct search terms for google.
Thank you,
Mike Coles
--
This message was sent on behalf of [EMAIL PROTECTED] at openSubscriber.com
http://www.opensubscriber.com/messages/freeradius-users@lists.freeradius.org/topic.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
This is the catch, I swear we tried at some point, apparently, we were missing something else at that time. Now everything worked out now. Thanks all for reply. Have a nice day. Regards, shiling On Nov 7, 2007 4:49 PM, [EMAIL PROTECTED] wrote: Hi, userx Cleartext-Password := hello Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 552 Tunnel-Medium-Type = IEEE-802, where did you get just '802' from? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
Hi, We read all dynamic vlan related posts in this mailing list archive, but still can't get it to work even the authentication is working good. in your eap.conf have you set the copy to inner tunnel to be yes? on your switch, have you set the device to accept server defined VLANs? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
We read all dynamic vlan related posts in this mailing list archive, but still can't get it to work even the authentication is working good. We are trying to get dynamic vlan assigmnet from freeradius version with local user database using eap-ttls-pap. But client PC was able to authenticator, but is not in the intented VLAN(dynamic vlan assignment is not working). Any suggestion is highly appreciated. FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu DEBUG INFO TTLS: Got tunneled reply RADIUS code 2 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 552 Wed Nov 7 11:48:33 2007 : Debug: TTLS: Got tunneled Access-Accept Wed Nov 7 11:48:33 2007 : Debug: rlm_eap: Freeing handler Wed Nov 7 11:48:33 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall[authenticate]: module eap returns ok for request 29 Wed Nov 7 11:48:33 2007 : Debug: modcall: leaving group authenticate (returns ok) for request 29 Sending Access-Accept of id 4 to 128.186.252.8 port 1645 USER FILE userx Cleartext-Password := hello Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 552 debug dot1x all in cisco showed that switching is successfully assign vlan 0 the fa0/2(dot1x enabled port) after getting authenticated. We are thinking this means vlan is not communicated between the freeradius and switch, but we don't know why. The test switch is cisco3550 running ios 12.2(35)SE. I have ( also tried the configuration in freeradius wiki, the same result) aaa new model aaa authorization network default group radius aaa authentication dot1x default group radius and dot1x system-auth-control fa0/2 is my test port. med-res-t#sh run Building configuration... Current configuration : 3450 bytes ! ! Last configuration change at 11:19:46 eastern Wed Nov 7 2007 by cisco ! NVRAM config last updated at 11:17:30 eastern Wed Nov 7 2007 by cisco ! version 12.2 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname med-res-t ! logging buffered 65536 debugging no logging console enable secret 5 * ! username cisco privilege 15 secret 5 *** aaa new-model aaa authentication login default local aaa authentication dot1x default group radius aaa authorization exec default local aaa authorization network default group radius ! aaa session-id common clock timezone eastern -5 ip subnet-zero ip domain-name test.edu ! ip ssh version 2 vtp mode transparent ! ! ! ! ! dot1x system-auth-control no file verify auto spanning-tree mode pvst spanning-tree extend system-id ! vlan internal allocation policy ascending ! vlan 100,200 ! ! vlan 552 name test-fwsm-lan ! vlan 553 name retricted-vlan ! ! interface FastEthernet0/1 switchport mode dynamic desirable ! interface FastEthernet0/2 switchport mode access dot1x pae authenticator dot1x port-control auto spanning-tree portfast ! ! interface GigabitEthernet0/1 switchport mode dynamic desirable ! interface GigabitEthernet0/2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 543,552 switchport mode trunk switchport nonegotiate ! interface Vlan1 no ip address no ip route-cache shutdown ! interface Vlan552 ip address 10.128.252.8 255.255.255.0 ! ip default-gateway 10.128.252.1 ip classless ip http server ip http secure-server ! ! radius-server host 10.128.33.163 auth-port 1612 acct-port 1646 key 7 070C285F4D06 radius-server source-ports 1645-1646 ! control-plane ! line con 0 line vty 5 15 ! ntp clock-period 17179941 ntp server 10.128.8.8 end med-res-t# - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
On Nov 7, 2007 1:38 PM, [EMAIL PROTECTED] wrote:
Hi,
We read all dynamic vlan related posts in this mailing list archive,
but still can't get it to work even the authentication is working
good.
in your eap.conf have you set the copy to inner tunnel to be yes?
Are you referring to
ttls {
copy_request_to_tunnel = yes
}
From reading the comment about that, this looks related to request,
instead of reply.
Thanks.
Shiling
on your switch, have you set the device to accept server defined
VLANs?
I believe in cisco
aaa authorization network default group radius
will enable switch to accept radius defined VLAN.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
Hi, on your switch, have you set the device to accept server defined VLANs? I believe in cisco aaa authorization network default group radius will enable switch to accept radius defined VLAN. err, no. all that does is say 'use the radius group to authorize network' you still have to configure the edge ports for 802.1X or nothing will happen dot1x port-control auto is something more useful I'd suggest some basic 802.1X cisco guideeg http://www.ciscopress.com/articles/article.asp?p=29600seqNum=3rl=1 but you should be doing your own homework - or paying us consultancy rates for doing it for you ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)
Hi, userx Cleartext-Password := hello Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 552 Tunnel-Medium-Type = IEEE-802, where did you get just '802' from? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/PEAP, LDAP and Dynamic VLAN Assignment HOW-TO
Hi, i would make this architecture: - authentication EAP/PEAP with MS-CHAPv2 with users in LDAP database. Better with encrypted password, but not necessary. - Every users have an attribute or something to assign it a VLAN. I have OpenLDAP and Freeradius 1.1.3, the distributuion presents in CentOS 5. Is it possible? Some suggestions? -- Vincenzo Agosti Università degli Studi di Salerno Ufficio Sistemi Tecnologici Coordinamento Servizi Informatici Via Ponte don Melillo, s.n.c. 84084 - Fisciano (SA) Tel. +39 089 96 6101 - 9776 Fax +39 089 96 6368 - 9806 Cell. +39 335 427674 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : EAP/PEAP, LDAP and Dynamic VLAN Assignment HOW-TO
Hi, Hi, i would make this architecture: - authentication EAP/PEAP with MS-CHAPv2 with users in LDAP database. Better with encrypted password, but not necessary. Either: * use Clear-text passwords in the userpassword attribute * OR add an Ldap attribute that will hold the NTML hash version of the user password (with leading '0x'), then use ldap.attrmap to map NT-Password to your LDAP ntlm password attribute - Every users have an attribute or something to assign it a VLAN. You can use radiusReplyItem LDAP attribute OR create several radius profiles (one for each VLAN) and assign the one that corresponds to the user In the users file (for instance using LDAP-groups) I have OpenLDAP and Freeradius 1.1.3, the distributuion presents in CentOS 5. Is it possible? Some suggestions? Yes it is possible in several ways... Find your own... HTH, Thibault -- Vincenzo Agosti Università degli Studi di Salerno Ufficio Sistemi Tecnologici Coordinamento Servizi Informatici Via Ponte don Melillo, s.n.c. 84084 - Fisciano (SA) Tel. +39 089 96 6101 - 9776 Fax +39 089 96 6368 - 9806 Cell. +39 335 427674 -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment
I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
Oh yes You can use the eth port as a trunk, and the radio can either tie different SSIDs to VLANs, or different users can be put into different VLANs if you are using some sort of authentication. Willey Kurt D wrote: I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED]] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a "pool" of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
(this is now kind of off the topic of radius but... ) Yes, it is a bit heavy What this is really doing is kind of sort of mimicking private VLANs in the Catalyst sense. Where each user in a VLAN cannot see each other, but they can all send traffic towards one assigned port... I am playing chicken with the Cisco development team. By the time I run into a hard limit somewhere, I am hoping they will have coded private VLANs into the Aironets Artur Hecker wrote: i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
IIRC, the Aironets can only take either 8 or 16 VLANs. You may be better off using the filtering functions in the Aironet to restrict the forwarding of frames between wireless stations, instead of using VLANs like this. josh. On Tue, 2004-05-25 at 15:27, Dan Armstrong wrote: (this is now kind of off the topic of radius but... ) Yes, it is a bit heavy What this is really doing is kind of sort of mimicking private VLANs in the Catalyst sense. Where each user in a VLAN cannot see each other, but they can all send traffic towards one assigned port... I am playing chicken with the Cisco development team. By the time I run into a hard limit somewhere, I am hoping they will have coded private VLANs into the Aironets Artur Hecker wrote: i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --- Josh Howlett, Networking Digital Communications, Information Systems Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
well, i thought Dan was speaking about a new VLAN per user not per AP. this is possible with Cisco APs. as far as i know, 1200 and 1100 can do trunking. ciao artur Willey Kurt D wrote: I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Dynamic VLAN assignment
I've done trunking of more than 3 vlans with the 1200 series. I configured one as my native network management vlan, and two others bound to different SSIDs. I think it's possible to have even more than that, but only one Guest mode VLAN. -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 25, 2004 10:42 AM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment well, i thought Dan was speaking about a new VLAN per user not per AP. this is possible with Cisco APs. as far as i know, 1200 and 1100 can do trunking. ciao artur Willey Kurt D wrote: I was under the impression that 1 AP = 1 VLAN. Has trunking been added? -Original Message- From: Artur Hecker [mailto:[EMAIL PROTECTED] Sent: Monday, May 24, 2004 5:40 PM To: [EMAIL PROTECTED] Subject: Re: Dynamic VLAN assignment i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
Why not use public secure password forwarding? Public Secure Packet Forwarding (PSPF) prevents client devices associated to an access point from inadvertently sharing files or communicating with other client devices associated to the access point. It provides Internet access to client devices without providing other capabilities of a LAN. This feature is useful for public wireless networks like those installed in airports or on college campuses. http://www.cisco.com/en/US/products/hw/wireless/ps4570/ products_configuration_guide_chapter09186a00802085c3.html#wp1038494 On May 25, 2004, at 8:27 AM, Dan Armstrong wrote: (this is now kind of off the topic of radius but... ) Yes, it is a bit heavy What this is really doing is kind of sort of mimicking private VLANs in the Catalyst sense. Where each user in a VLAN cannot see each other, but they can all send traffic towards one assigned port... I am playing chicken with the Cisco development team. By the time I run into a hard limit somewhere, I am hoping they will have coded private VLANs into the Aironets Artur Hecker wrote: i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic VLAN assignment
I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic VLAN assignment
i don't know, but i would say execute an external program which reads a VLAN list file and attibutes and marks as used the next unused VLAN. but you will end up with #VLANs = #users... it's pretty heavy (pull all the VLANs from all APs to the switches) and quite limited, isn't it? ciao artur Dan Armstrong wrote: I know this idea is a bit whacked, but if anybody can think of a creative way I might be able to achieve it - I would be eternally grateful... We are authenticating wireless users from a Cisco Aironet (1100/1200). I know that I can pass back a VLAN to plop the user into, once authenticated. What I want to do is have radius keep a pool of VLANs, and each time a user is authenticated, they end up in the next VLAN. It would also have to return disconnected vlans back into the pool for reuse. Any thoughts? (If there is no relatively simple way to do this, I do have budget if anybody out there wants to help code it) :-) Thanks, Dan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
