Re: Using freeradius and 802.1x for dynamic VLAN

[Alan DeKok]

Arran Cudbard-Bell wrote:
> Not true, see HPs Open VLAN feature. The NAS may also request that the
> supplicant be put into a certain VLAN based on the static VLAN
> assignment on the port the supplicant is connecting to.

  Wild.  I hadn't seen that before.

  In any case, the original poster hasn't configured a "check vlan"
policy, and hasn't showed via "radiusd -X" that the client is in fact
sending vlan information.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN

[Arran Cudbard-Bell]

Alan DeKok wrote:

[EMAIL PROTECTED] wrote:
...
  

What certificate i shoud use, so that valid the:
carlos User-Password == "carlos"
 Service-Type = Framed-User,
 Tunnel-Type = VLAN,
 Tunnel-Medium-Type = IEEE-802,
 Tunnel-Private-Group-Id = 2

and if the user carlos access to the vlan 2, he can access, otherwise he
doesn't access.



  RADIUS doesn't work that way.  The NAS doesn't tell the server what
VLAN the user is in, because the user is NOT in a VLAN until they have
been authenticated.
  
Not true, see HPs Open VLAN feature. The NAS may also request that the 
supplicant be put into a certain VLAN based on the static VLAN 
assignment on the port the supplicant is connecting to.


rad_recv: Access-Request packet from host 139.184.9.175 port 1024, 
id=119, length=306

   Framed-MTU = 1480
   NAS-IP-Address = xxx.xxx.xxx.xxx
   NAS-Identifier = "xx"
   User-Name = "xxx"
   Service-Type = Framed-User
   Framed-Protocol = PPP
   NAS-Port = 28
   NAS-Port-Type = Ethernet
   NAS-Port-Id = "28"
   Called-Station-Id = "xx-xx-xx-xx-xx-xx"
   Calling-Station-Id = "xx-xx-xx-xx-xx-xx""
   Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
   Tunnel-Type:0 = VLAN
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "700"
   State = 0x20f6a63dccf5843da5b75a3deaca3c2d
   EAP-Message =
   Message-Authenticator =

Of course whether the Server decides to honor the NAS's request is 
another matter.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
  

--
Arran Cudbard-Bell ([EMAIL PROTECTED])
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton

EXT:01273 873900 | INT: 3900

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN

[Alan DeKok]

[EMAIL PROTECTED] wrote:
...
> What certificate i shoud use, so that valid the:
> carlos User-Password == "carlos"
>  Service-Type = Framed-User,
>  Tunnel-Type = VLAN,
>  Tunnel-Medium-Type = IEEE-802,
>  Tunnel-Private-Group-Id = 2
> 
> and if the user carlos access to the vlan 2, he can access, otherwise he
> doesn't access.

  RADIUS doesn't work that way.  The NAS doesn't tell the server what
VLAN the user is in, because the user is NOT in a VLAN until they have
been authenticated.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN

[[EMAIL PROTECTED]]

you certainly arent checking that the VLAN is 2 - and if it isnt then fail
the authentication. i can understand what you are trying to do...but  
 do do THAT sort of thing you will need to use checking attributes,  
not setting attributes.


you should find that the port which carlos is attached to is being put onto
VLAN 2 is the config is correct.


How do I know if my certificate checking that the vlan is 2 and
why the authentication don't fail?

What certificate i shoud use, so that valid the:
carlos User-Password == "carlos"
 Service-Type = Framed-User,
 Tunnel-Type = VLAN,
 Tunnel-Medium-Type = IEEE-802,
 Tunnel-Private-Group-Id = 2

and if the user carlos access to the vlan 2, he can access, otherwise  
he doesn't access.


But in my case the user carlos can access to any vlan. for example to  
vlan 3 or 4.

Tell me what certificate I can to use that valid the Tunnel-Type and form it.







This message was sent using IMP, the Internet Messaging Program.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN

[tnt]

>
>How you see this is the configuration from my switch.
>In the file users I have the following configuration.
>+
>carlos User-Password == "carlos"
> Service-Type = Framed-User,
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 2
>
>saulUser-Password == "saul"
> Service-Type = Framed-User,
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-ID = 4
>
>+
>
>Now the problem is that: The PC client (WindowsXP) is connected to the
>port 17 for that it is included in the vlan 4. When I intro the user:
>carlos and his password: carlos it shouldn't autenticate becauses it
>user is asigned to the vlan 2. But the problem is that the user is
>autenticate and has access to the vlan4.
>
>My conclution is that: Tunnel-Type = VLAN,
>Tunnel-Medium-Type = IEEE-802,
>Tunnel-Private-Group-Id = 2
>don work.

Your conclusion is most likely wrong. It sounds like you don't have
dynamic VLANs. Tunnel attributes will then get ignored and only username
& password will be relevant. So client will connect. Tunnel attributes
are sent in the reply to the switch. If the switch doesn't support
dynamic VLAN assignment ...

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN

[A . L . M . Buxey]

Hi,

> carlos User-Password == "carlos"
> Service-Type = Framed-User,
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 2
> 
> saulUser-Password == "saul"
> Service-Type = Framed-User,
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-ID = 4
> 
> +
> 
> Now the problem is that: The PC client (WindowsXP) is connected to the  
> port 17 for that it is included in the vlan 4. When I intro the user:  
> carlos and his password: carlos it shouldn't autenticate becauses it  
> user is asigned to the vlan 2. But the problem is that the user is  
> autenticate and has access to the vlan4.
> 
> My conclution is that: Tunnel-Type = VLAN,
>Tunnel-Medium-Type = IEEE-802,
>Tunnel-Private-Group-Id = 2
> don work.

err, no. not at all. with the config that you have posted what you are saying
is 'if the user is Carlos and the password is correct then set the vlan to be 2'

you certainly arent checking that the VLAN is 2 - and if it isnt then fail
the authentication. i can understand what you are trying to do...but do do THAT 
sort of
thing you will need to use checking attributes, not setting attributes.

you should find that the port which carlos is attached to is being put onto
VLAN 2 is the config is correct. 

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN

[[EMAIL PROTECTED]]

Hi,


carlos  Auth-Type = EAP, User-Password == "carlos"

  

I remove the parte indicated   carlos  User-Password == "carlos"
The problem continue i did thefollowing:
In my swich I form three vlan 2,3,4 After I signed ip to the vlans and  
ports too.

This is all the configuration from the switch:
===
console# show running-config
interface ethernet g1
exit
vlan database
vlan 2-4
exit
interface range ethernet g(2-8)
switchport access vlan 2
exit
interface range ethernet g(9-14)
switchport access vlan 3
exit
interface range ethernet g(15-20)
switchport access vlan 4
exit
dot1x system-auth-control
interface range ethernet g(2-8,10-14,16-20)
dot1x port-control auto
exit
interface range ethernet g(2-8,10-14,16-20)
dot1x re-authentication
exit
interface vlan 2
ip address 192.168.2.2 255.255.255.0
exit
interface vlan 3
ip address 192.168.3.3 255.255.255.0
exit
interface vlan 4
ip address 10.20.10.251 255.255.255.0
exit
ip default-gateway 10.20.10.1
radius-server host 10.20.10.13 auth-port  1645 timeout  3
radius-server host 10.20.10.251 auth-port 1645 timeout 3 retransmit 3  key mi
secreto
radius-server host 192.168.2.2 auth-port 1645 timeout 3 retransmit 3  key mis
ecreto
radius-server host 192.168.3.3 auth-port 1645 timeout 3 retransmit 3  key mis
ecreto
radius-server key misecreto
aaa authentication dot1x default radius
username admin password 7d8c9c8b116cdfe3fb091f4c1ac684de level 15 encrypted

Vlan   Name   PortsType Authorization
 - ---  -
 1   1 g(1,21-24),ch(1-8) other   Required
 2   2   g(1-8) permanent Required
 3   3  g(1,9-14)   permanent Required
 4   4  g(15-20)permanent Required

console# show ip interface


  Gateway IP AddressActivity status   Type
--- --- 
10.20.10.1  Active  static


  IP Address I/F Type
--- -- -
10.20.10.251/24 vlan 4 Static
192.168.2.2/24  vlan 2 Static
192.168.3.3/24  vlan 3 Static
===

How you see this is the configuration from my switch.
In the file users I have the following configuration.
+
carlos User-Password == "carlos"
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 2

saulUser-Password == "saul"
Service-Type = Framed-User,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 4

+

Now the problem is that: The PC client (WindowsXP) is connected to the  
port 17 for that it is included in the vlan 4. When I intro the user:  
carlos and his password: carlos it shouldn't autenticate becauses it  
user is asigned to the vlan 2. But the problem is that the user is  
autenticate and has access to the vlan4.


My conclution is that: Tunnel-Type = VLAN,
   Tunnel-Medium-Type = IEEE-802,
   Tunnel-Private-Group-Id = 2
don work.

 I probably need to configure something.






This message was sent using IMP, the Internet Messaging Program.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN

[A . L . M . Buxey]

Hi,

> I use freeradius-1.0.4-1.FC4.1 version in a PC Linux Fedora Core 4.  

I wont even bother starting with the upgrade to 1.1.7 stuff. if you want to run 
buggy older and insecure versions then thats YOUR choice.

> carlos  Auth-Type := EAP, User-Password == "carlos"
> Service-Type = Framed-User,
> Tunne-type = VLAN,
> Tunnel-medium-type = IEEE-802,
> Tunnel-Private-Group-Id = 2

where to start? perhaps the 'dont ever set Auth-Type := EAP' would be
as good a place as any.  other than that i'll assume that you've
not noticed the typo on the Tunnel-Type line?

soif you;ve set those attributes then they arent going back to the switch?
well, if you read eap.conf you'll see the part that says 'tunnel reply'
you need to set that to "yes" then those attributes will go back to the switch


alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[nevot]

I succeeded following these steps:
http://security.fi.infn.it/TRIP/802.1x-wired/802.1x-wired.html

regards

2005/10/6, HOWLETT CDsicEmi <[EMAIL PROTECTED]>:
>
> Hi Everyone,
>
> Dave,
> Are you sure the command aaa authentication network default group radius is
> valid on 2950 switches ? I am running Version 12.1(22)EA5, which was the
> last stable image in july and "network" is not available as aaa
> authentication option.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Øystein Gåsdal]

I think you need to apply this command to the 
port:
switchport access vlan dynamic
 
- Øystein Gåsdal


From: HOWLETT C DsicEmi 
[mailto:[EMAIL PROTECTED] Sent: 6. oktober 2005 
10:54To: freeradius-users@lists.freeradius.orgSubject: 
Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

Hi 
Everyone,
 
Dave,
Are you sure the 
command aaa authentication network default group radius is valid 
on 2950 switches ? I am running Version 12.1(22)EA5, which was the last stable 
image in july and "network" is not available as aaa authentication 
option.
 
If anyone has met 
any success with dynamic VLAN assignment on Cisco 29502 with FreeRadius. I 
am interested !
Here is how my user 
is declared:
 
Client_Arpege Auth-Type := EAP
Service-Type = Framed-User,
Reply-Message = "Authentification OK - Bienvenue 
sur le RCSG",
Tunnel-Type = :1:VLAN,
Tunnel-Medium-Type = :1:6,
Tunnel-Private-Group-ID = :1:140
 
:1: 
are used to give tags a value of 1, 6 is interprested by FreeRadius as IEEE-802. 

I have checked with 
Ethereal and the paquet sent seems OK. I think the problem comes from the 
switch.
Here is the 
configuration file:
!version 12.1no service padservice 
timestamps debug datetime msec localtimeservice timestamps log datetime msec 
localtimeno service password-encryption!hostname 
Switch802_1x!aaa new-modelaaa authentication login default group 
radius localaaa authentication dot1x default group radiusaaa 
authorization exec default group radius if-authenticatedaaa accounting dot1x 
default start-stop group radiusenable password !username 
admin secret 5 $1$IqQs$tJ9S4pfeDfZR42vlaFrbQ1ip 
subnet-zero!!spanning-tree mode pvstno spanning-tree optimize 
bpdu transmissionspanning-tree extend system-iddot1x 
system-auth-controlinterface 
FastEthernet0/1 switchport access vlan 136 switchport mode 
access spanning-tree portfast!interface 
FastEthernet0/2 switchport access vlan 136 switchport mode 
access spanning-tree portfast!interface 
FastEthernet0/3 switchport access vlan 136 switchport mode 
access spanning-tree portfast!interface 
FastEthernet0/4 switchport access vlan 136 switchport mode 
access spanning-tree portfast!interface 
FastEthernet0/5 switchport mode access dot1x port-control auto 
 spanning-tree portfast!interface 
FastEthernet0/6 switchport mode access dot1x port-control auto 
 spanning-tree portfast!interface 
FastEthernet0/7 switchport mode access dot1x port-control auto 
 spanning-tree portfast!interface 
FastEthernet0/8 switchport mode access dot1x port-control auto 
 spanning-tree portfast!interface 
FastEthernet0/9 switchport mode access dot1x port-control auto 
 spanning-tree portfast!interface 
FastEthernet0/10 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/11 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/12 switchport access vlan 141 switchport mode 
access switchport port-security switchport port-security 
mac-address sticky switchport port-security mac-address sticky 
0001.e6a7.09d8 spanning-tree portfast!interface 
FastEthernet0/13 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/14 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/15 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/16 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/17 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/18 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/19 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/20 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/21 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/22 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/23 switchport mode access dot1x port-control 
auto  spanning-tree portfast!interface 
FastEthernet0/24 switchport trunk native vlan 136 switchport 
mode trunk!interface GigabitEthernet0/1!interface 
GigabitEthernet0/2!interface Vlan1 no ip address no ip 
route-cache shutdown!interface Vlan136 ip address 
XX.XX.XX.XX 255.255.255.0 no ip route-cache!ip default-gateway 
YY.YY.YY.YYip http serverlogging trap notificationslogging facility 
local6logging ZZ.ZZ.ZZ.ZZradius-server host ZZ.ZZ.ZZ.ZZ auth-port 1812 
acct-port 1813 key testing123radius-server retransmit 3!line con 
0 exec-timeout 0 0 password line vty 0 
4 exec-timeout 0 0 password line vty 5 
15 exec-timeout 0 0 password 
!!end
 
The Client is 
connected to port 0/23 which is dot1x enabled. It is authenticated (interface is 
up and logs in Freeradius prove that it's OK) BUT interface 

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Michael Schwartzkopff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am Freitag, 11. März 2005 15:40 schrieb Vladimir Vuksan:
> Michael Schwartzkopff wrote:
> >>Thanks for help but my switch doesn't know this command. Is it possible
> >>that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported?
> >
> >Yes. Be careful with the IOS versions. Older versions do not have this
> > feature implemented. You have to install a quite new IOS. I also had
> > problem with a 2950. No problem with a new IOS and a 3550.
>
> Has anyone implemented a setup where e.g. Tunnel-Type, VLAN information
> is stored in LDAP  instead of in the users file ?
>
> Vladimir

Yes, I did. I also wrote an article about it which was published in the Linux 
Magazin both German and English version. Please mail your private adress and 
I can help your further.

misch (sobachka) multinet dot de

- -- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCMa8kqndXpO3Yl5sRAsohAJwIqRnyY1Yn3ZoJ0NuAdkKczAqGQACePYmd
0tVIRmLt1XBMjSVav/096D0=
=GnIl
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Vladimir Vuksan]

Michael Schwartzkopff wrote:
Thanks for help but my switch doesn't know this command. Is it possible
that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported?
   

Yes. Be careful with the IOS versions. Older versions do not have this feature 
implemented. You have to install a quite new IOS. I also had problem with a 
2950. No problem with a new IOS and a 3550.
 

Has anyone implemented a setup where e.g. Tunnel-Type, VLAN information 
is stored in LDAP  instead of in the users file ?

Vladimir
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Michael Schwartzkopff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Am Freitag, 11. März 2005 09:24 schrieb Horschtel:

> Thanks for help but my switch doesn't know this command. Is it possible
> that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported?

Yes. Be careful with the IOS versions. Older versions do not have this feature 
implemented. You have to install a quite new IOS. I also had problem with a 
2950. No problem with a new IOS and a 3550.

- -- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn

Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
mob: (+49 174) 343 28 75

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCMWJRqndXpO3Yl5sRAsw1AJ9ioJf43GKMDaYmzXtkFKLRKR0qCACgmlph
z9p5g/kt6UwiYN87qRF7xfA=
=LW3z
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Horschtel]

>You are missing:
>
>   aaa authentication network default group radius
>
>The attributes you posted earlier are correct.  You can also specify
>the VLAN name instead of the number which may help you if the VLAN ids
>are different on different networks.
>
>--
>DaveD
>
Thanks for help but my switch doesn't know this command. Is it possible that 
the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported?

>On Mar 10, 2005, at 7:51 AM, Horschtel wrote:
>
>>
>>
>> I try but it doesn't work. I try another radius server and it failed
>> also. I the properties of the Attribute 81 I see should be a string.
>> So I think I did a mistake on the switch configuration. I post the
>> configuration here :
>>
>>
>> Current configuration : 3985 bytes
>> !
>> version 12.1
>> no service pad
>> service timestamps debug uptime
>> service timestamps log uptime
>> service password-encryption
>> !
>> hostname rum34
>> !
>> aaa new-model
>> aaa authentication login default line enable
>> aaa authentication dot1x default group radius
>> enable secret 5 .
>> enable password 7 
>> !
>> ip subnet-zero
>> ip domain-name mms-dresden.de
>> !
>> !
>> spanning-tree extend system-id
>> no spanning-tree vlan 65
>> …
>> no spanning-tree vlan 255
>> !
>> !
>> interface FastEthernet0/1
>>  switchport mode trunk
>>  no ip address
>> !
>> interface FastEthernet0/2
>>  switchport access vlan dynamic
>>  switchport mode access
>>  no ip address
>>  spanning-tree portfast
>> !
>> interface FastEthernet0/3
>>  switchport mode access
>>  no ip address
>> !
>> interface FastEthernet0/4
>>  no ip address
>> !
>> interface FastEthernet0/5
>>  no ip address
>>  shutdown
>> !
>> interface FastEthernet0/6
>>  no ip address
>> !
>> interface FastEthernet0/7
>>  no ip address
>> !
>> interface FastEthernet0/8
>>  no ip address
>> !
>> interface FastEthernet0/9
>>  switchport mode access
>>  no ip address
>>  dot1x port-control auto
>> !
>> interface FastEthernet0/10
>>  no ip address
>> !
>> interface FastEthernet0/11
>>  no ip address
>> !
>> interface FastEthernet0/12
>>  no ip address
>> !
>> interface GigabitEthernet0/1
>>  no ip address
>> !
>> interface GigabitEthernet0/2
>>  no ip address
>> !
>> interface Vlan1
>>  ip address xxx.xxx.xxx.209 255.255.255.0
>>  no ip route-cache
>> !
>> ip default-gateway xxx.xxx.xxx.1
>> ip http server
>> !
>> snmp-server engineID local 8009030BBE855001
>> snmp-server group grp_snmp v3 auth
>> snmp-server community xxx RO
>> snmp-server enable traps snmp linkdown linkup
>> snmp-server host xxx.xxx.xxx.101 version 2c pub
>> radius-server host xxx.xxx.xxx.2 auth-port 1812 acct-port 1813 key xxx
>> radius-server retransmit 3
>> !
>> line con 0
>>  ip netmask-format decimal
>> line vty 0 4
>>  password 7 x
>> line vty 5 15
>>  password 7xx
>> !
>> ntp clock-period 17179903
>> ntp server xxx.xxx.xxx.196
>> end
>>
>> -- Original Message --
>> From: David ROUMANET <[EMAIL PROTECTED]>
>> Reply-To: freeradius-users@lists.freeradius.org
>> Date:  Thu, 10 Mar 2005 10:27:28 +0100
>>
>>> Try this :
>>> Tunnel-Type := VLAN,
>>> Tunnel-Medium-Type := IEEE-802,
>>> Tunnel-Private-Group-Id := 13,
>>>
>>> It works on my FreeRADIUS
>>>
>>>
>>> Horschtel a écrit :
>>>
 Hi my situation is freeradius give the switch wrong attribute
 parameters.

 The “users” config file says:

 …
 Username  Auth-Type == EAP, User-Password == “xxx”
Framed-Type = Framed,
Tunnel-Medium-Type:1 = 6,
Tunnel-Type:1 = 13,
Tunnel-Private-Group-ID:1 = 13
 ….

 on freeradius debuging I can see:

 …..
 Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812
Tunnel-Medium-Type:1 =  IEEE-802
Tunnel-Type:1 = VLAN
Tunnel-Private-Group-Id = “13”
 ……

 and that’s the problem. I think the Tunnel-Private-Group-Id is not
 more an
 Integer

 The Switch Radius Debug

 04:57:06: Attribute 65 6 0106
 04:57:06: Attribute 64 6 010D
 04:57:06: Attribute 81 5 0131334F

 Attribute 65 and 64 are ok but Attribute 81 is the problem




 
 Sent via the WebMail system at oleco.net






 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



>>>
>>> --
>>> CICG David ROUMANET
>>> Tel : 04 76 51 46 08
>>> *C*entre *I*nterUniversitaire de *C*alcul *G*renoblois
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>>
>>
>>
>>
>>
>>
>> 
>> Sent via the WebMail system at oleco.net
>>
>>
>>
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
>-
>List info/subscribe/unsubscribe? See http://www.fre

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[kreios]

You are missing:
  aaa authentication network default group radius
The attributes you posted earlier are correct.  You can also specify 
the VLAN name instead of the number which may help you if the VLAN ids 
are different on different networks.

--
DaveD
On Mar 10, 2005, at 7:51 AM, Horschtel wrote:

I try but it doesn't work. I try another radius server and it failed 
also. I the properties of the Attribute 81 I see should be a string. 
So I think I did a mistake on the switch configuration. I post the 
configuration here :

Current configuration : 3985 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rum34
!
aaa new-model
aaa authentication login default line enable
aaa authentication dot1x default group radius
enable secret 5 .
enable password 7 
!
ip subnet-zero
ip domain-name mms-dresden.de
!
!
spanning-tree extend system-id
no spanning-tree vlan 65
…
no spanning-tree vlan 255
!
!
interface FastEthernet0/1
 switchport mode trunk
 no ip address
!
interface FastEthernet0/2
 switchport access vlan dynamic
 switchport mode access
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport mode access
 no ip address
!
interface FastEthernet0/4
 no ip address
!
interface FastEthernet0/5
 no ip address
 shutdown
!
interface FastEthernet0/6
 no ip address
!
interface FastEthernet0/7
 no ip address
!
interface FastEthernet0/8
 no ip address
!
interface FastEthernet0/9
 switchport mode access
 no ip address
 dot1x port-control auto
!
interface FastEthernet0/10
 no ip address
!
interface FastEthernet0/11
 no ip address
!
interface FastEthernet0/12
 no ip address
!
interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface Vlan1
 ip address xxx.xxx.xxx.209 255.255.255.0
 no ip route-cache
!
ip default-gateway xxx.xxx.xxx.1
ip http server
!
snmp-server engineID local 8009030BBE855001
snmp-server group grp_snmp v3 auth
snmp-server community xxx RO
snmp-server enable traps snmp linkdown linkup
snmp-server host xxx.xxx.xxx.101 version 2c pub
radius-server host xxx.xxx.xxx.2 auth-port 1812 acct-port 1813 key xxx
radius-server retransmit 3
!
line con 0
 ip netmask-format decimal
line vty 0 4
 password 7 x
line vty 5 15
 password 7xx
!
ntp clock-period 17179903
ntp server xxx.xxx.xxx.196
end
-- Original Message --
From: David ROUMANET <[EMAIL PROTECTED]>
Reply-To: freeradius-users@lists.freeradius.org
Date:  Thu, 10 Mar 2005 10:27:28 +0100
Try this :
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id := 13,
It works on my FreeRADIUS
Horschtel a écrit :
Hi my situation is freeradius give the switch wrong attribute 
parameters.

The “users” config file says:
…
Username  Auth-Type == EAP, User-Password == “xxx”
   Framed-Type = Framed,
   Tunnel-Medium-Type:1 = 6,
   Tunnel-Type:1 = 13,
   Tunnel-Private-Group-ID:1 = 13
….
on freeradius debuging I can see:
…..
Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812
   Tunnel-Medium-Type:1 =  IEEE-802
   Tunnel-Type:1 = VLAN
   Tunnel-Private-Group-Id = “13”
……
and that’s the problem. I think the Tunnel-Private-Group-Id is not 
more an
Integer

The Switch Radius Debug
04:57:06: Attribute 65 6 0106
04:57:06: Attribute 64 6 010D
04:57:06: Attribute 81 5 0131334F
Attribute 65 and 64 are ok but Attribute 81 is the problem


Sent via the WebMail system at oleco.net


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


--
CICG David ROUMANET
Tel : 04 76 51 46 08
*C*entre *I*nterUniversitaire de *C*alcul *G*renoblois
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




Sent via the WebMail system at oleco.net


-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Alan DeKok]

"Horschtel" <[EMAIL PROTECTED]> wrote:
> Tunnel-Private-Group-Id = "13"
> 
> and that's the problem. I think the Tunnel-Private-Group-Id is not
> more an Integer

  The RFC's define it to be string.  Some switch vendors, however,
implemented it as integer, which causes problems.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Vladimir]

Horschtel wrote:
I try but it doesn't work. I try another radius server and it failed also. I the properties of the Attribute 81 I see should be a string. So I think I did a mistake on the switch configuration. I post the configuration here :
 

Is 802.1x working at all ? For instance I had to issue following 
configuration command

dot1x system-auth-control
If you log into the switch and execute following
Switch#show dot1x
Sysauthcontrol= Enabled
Dot1x Protocol Version= 1
Dot1x Oper Controlled Directions  = Both
Dot1x Admin Controlled Directions = Both
Do you get Sysauthcontrol Enabled ?
aaa new-model
aaa authentication login default line enable
aaa authentication dot1x default group radius
interface FastEthernet0/9
switchport mode access
no ip address
dot1x port-control auto
radius-server host xxx.xxx.xxx.2 auth-port 1812 acct-port 1813 key xxx
radius-server retransmit 3
 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[Horschtel]

I try but it doesn't work. I try another radius server and it failed also. I 
the properties of the Attribute 81 I see should be a string. So I think I did a 
mistake on the switch configuration. I post the configuration here :


Current configuration : 3985 bytes
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname rum34
!
aaa new-model
aaa authentication login default line enable
aaa authentication dot1x default group radius
enable secret 5 .
enable password 7 
!
ip subnet-zero
ip domain-name mms-dresden.de
!
!
spanning-tree extend system-id
no spanning-tree vlan 65
…
no spanning-tree vlan 255
!
!
interface FastEthernet0/1
 switchport mode trunk
 no ip address
!
interface FastEthernet0/2
 switchport access vlan dynamic
 switchport mode access
 no ip address
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport mode access
 no ip address
!
interface FastEthernet0/4
 no ip address
!
interface FastEthernet0/5
 no ip address
 shutdown
!
interface FastEthernet0/6
 no ip address
!
interface FastEthernet0/7
 no ip address
!
interface FastEthernet0/8
 no ip address
!
interface FastEthernet0/9
 switchport mode access
 no ip address
 dot1x port-control auto
!
interface FastEthernet0/10
 no ip address
!
interface FastEthernet0/11
 no ip address
!
interface FastEthernet0/12
 no ip address
!
interface GigabitEthernet0/1
 no ip address
!
interface GigabitEthernet0/2
 no ip address
!
interface Vlan1
 ip address xxx.xxx.xxx.209 255.255.255.0
 no ip route-cache
!
ip default-gateway xxx.xxx.xxx.1
ip http server
!
snmp-server engineID local 8009030BBE855001
snmp-server group grp_snmp v3 auth
snmp-server community xxx RO
snmp-server enable traps snmp linkdown linkup
snmp-server host xxx.xxx.xxx.101 version 2c pub
radius-server host xxx.xxx.xxx.2 auth-port 1812 acct-port 1813 key xxx
radius-server retransmit 3
!
line con 0
 ip netmask-format decimal
line vty 0 4
 password 7 x
line vty 5 15
 password 7xx
!
ntp clock-period 17179903
ntp server xxx.xxx.xxx.196
end

-- Original Message --
From: David ROUMANET <[EMAIL PROTECTED]>
Reply-To: freeradius-users@lists.freeradius.org
Date:  Thu, 10 Mar 2005 10:27:28 +0100

>Try this :
>Tunnel-Type := VLAN,
>Tunnel-Medium-Type := IEEE-802,
>Tunnel-Private-Group-Id := 13,
>
>It works on my FreeRADIUS
>
>
>Horschtel a écrit :
>
>>Hi my situation is freeradius give the switch wrong attribute parameters.
>>
>>The “users” config file says:
>>
>>…
>>Username  Auth-Type == EAP, User-Password == “xxx”
>>Framed-Type = Framed,
>>Tunnel-Medium-Type:1 = 6,
>>Tunnel-Type:1 = 13,
>>Tunnel-Private-Group-ID:1 = 13
>>….
>>
>>on freeradius debuging I can see:
>>
>>…..
>>Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812
>>Tunnel-Medium-Type:1 =  IEEE-802
>>Tunnel-Type:1 = VLAN
>>Tunnel-Private-Group-Id = “13”
>>……
>>
>>and that’s the problem. I think the Tunnel-Private-Group-Id is not more an
>>Integer
>>
>>The Switch Radius Debug
>>
>>04:57:06: Attribute 65 6 0106
>>04:57:06: Attribute 64 6 010D
>>04:57:06: Attribute 81 5 0131334F
>>
>>Attribute 65 and 64 are ok but Attribute 81 is the problem
>>
>>
>>
>>
>>
>>Sent via the WebMail system at oleco.net
>>
>>
>>
>>
>>
>>
>>-
>>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>
>--
>CICG David ROUMANET
>Tel : 04 76 51 46 08
>*C*entre *I*nterUniversitaire de *C*alcul *G*renoblois
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>






Sent via the WebMail system at oleco.net






-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

[David ROUMANET]

Try this :
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id := 13,
It works on my FreeRADIUS
Horschtel a écrit :
Hi my situation is freeradius give the switch wrong attribute parameters.
The “users” config file says:
…
Username  Auth-Type == EAP, User-Password == “xxx”
   Framed-Type = Framed,
   Tunnel-Medium-Type:1 = 6,
   Tunnel-Type:1 = 13,
   Tunnel-Private-Group-ID:1 = 13
….
on freeradius debuging I can see:
…..
Sending Acces-Accept of id 59 to xxx.xxx.xxx.xxx:1812
   Tunnel-Medium-Type:1 =  IEEE-802
   Tunnel-Type:1 = VLAN
   Tunnel-Private-Group-Id = “13”
……
and that’s the problem. I think the Tunnel-Private-Group-Id is not more an
Integer
The Switch Radius Debug
04:57:06: Attribute 65 6 0106  
04:57:06: Attribute 64 6 010D
04:57:06: Attribute 81 5 0131334F

Attribute 65 and 64 are ok but Attribute 81 is the problem 



Sent via the WebMail system at oleco.net

  

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

 

--
CICG David ROUMANET
Tel : 04 76 51 46 08
*C*entre *I*nterUniversitaire de *C*alcul *G*renoblois
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html