subject:"VLAN and SSID"

Re: VLAN and SSID

2006-04-03 Thread Antonio Matera


Anyone can help me please?

Thanks, Antonio



on 30/03/2006 17.39 Antonio Matera said the following:

hi,
ok, now the authentication request works (the problem was that if I 
restart the AP I lost this configuration. How can I save it using the 
web configuration?)


Now the log is the following:

rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, 
length=166

   User-Name = "TEST4"
   Framed-MTU = 1400
   Called-Station-Id = "0012.dacb.8420"
   Calling-Station-Id = "000c.f135.f1ba"
   Cisco-AVPair = "ssid=VLAN3"
   Service-Type = Login-User
   Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46
   EAP-Message = 0x020600060d00
   NAS-Port-Type = Wireless-802.11
   Cisco-NAS-Port = "260"
   NAS-Port = 260
   State = 0x0491685cf8ece3184d685dedfedbb3d4
   NAS-IP-Address = 192.168.9.104
   NAS-Identifier = "ap"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
 modcall[authorize]: module "preprocess" returns ok for request 18
 modcall[authorize]: module "mschap" returns noop for request 18
   rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 18
 rlm_eap: EAP packet type response id 6 length 6
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 18
   users: Matched entry TEST4 at line 11
 modcall[authorize]: module "files" returns ok for request 18
modcall: leaving group authorize (returns updated) for request 18
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 18
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: ack handshake is finished
 eaptls_verify returned 3
 eaptls_process returned 3
 rlm_eap: Freeing handler
 modcall[authenticate]: module "eap" returns ok for request 18
modcall: leaving group authenticate (returns ok) for request 18
Login OK: [TEST4/] (from client ap-test 
port 260 cli 000c.f135.f1ba)

Sending Access-Accept of id 19 to 192.168.9.104 port 1645
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "2"
   Tunnel-Type:0 = VLAN
   MS-MPPE-Recv-Key = 
0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da
   MS-MPPE-Send-Key = 
0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161

   EAP-Message = 0x03060004
   Message-Authenticator = 0x
   User-Name = "TEST4"
Finished request 18


and I have this users:

TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1"
  Tunnel-Medium-Type = IEEE-802,
  Tunnel-Private-Group-Id = 2,
  Tunnel-Type = VLAN

user2   Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3"
  Tunnel-Medium-Type = IEEE-802,
  Tunnel-Private-Group-Id = 3,
  Tunnel-Type = VLAN



Now in the log there is Cisco-AVPair = "ssid=VLAN3" but user TEST4 is 
authenticated on the incorrect SSID (VLAN3).
I suppose that the Cisco-AVPair check doesn't work in my 
configuration

Are there other mistakes?


Thanks for your answers...
Bye Antonio

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-30 Thread Antonio Matera


hi,
ok, now the authentication request works (the problem was that if I 
restart the AP I lost this configuration. How can I save it using the 
web configuration?)


Now the log is the following:

rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, 
length=166

   User-Name = "TEST4"
   Framed-MTU = 1400
   Called-Station-Id = "0012.dacb.8420"
   Calling-Station-Id = "000c.f135.f1ba"
   Cisco-AVPair = "ssid=VLAN3"
   Service-Type = Login-User
   Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46
   EAP-Message = 0x020600060d00
   NAS-Port-Type = Wireless-802.11
   Cisco-NAS-Port = "260"
   NAS-Port = 260
   State = 0x0491685cf8ece3184d685dedfedbb3d4
   NAS-IP-Address = 192.168.9.104
   NAS-Identifier = "ap"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
 modcall[authorize]: module "preprocess" returns ok for request 18
 modcall[authorize]: module "mschap" returns noop for request 18
   rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 18
 rlm_eap: EAP packet type response id 6 length 6
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 18
   users: Matched entry TEST4 at line 11
 modcall[authorize]: module "files" returns ok for request 18
modcall: leaving group authorize (returns updated) for request 18
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 18
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: ack handshake is finished
 eaptls_verify returned 3
 eaptls_process returned 3
 rlm_eap: Freeing handler
 modcall[authenticate]: module "eap" returns ok for request 18
modcall: leaving group authenticate (returns ok) for request 18
Login OK: [TEST4/] (from client ap-test port 
260 cli 000c.f135.f1ba)

Sending Access-Accept of id 19 to 192.168.9.104 port 1645
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "2"
   Tunnel-Type:0 = VLAN
   MS-MPPE-Recv-Key = 
0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da
   MS-MPPE-Send-Key = 
0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161

   EAP-Message = 0x03060004
   Message-Authenticator = 0x
   User-Name = "TEST4"
Finished request 18


and I have this users:

TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1"
  Tunnel-Medium-Type = IEEE-802,
  Tunnel-Private-Group-Id = 2,
  Tunnel-Type = VLAN

user2   Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3"
  Tunnel-Medium-Type = IEEE-802,
  Tunnel-Private-Group-Id = 3,
  Tunnel-Type = VLAN



Now in the log there is Cisco-AVPair = "ssid=VLAN3" but user TEST4 is 
authenticated on the incorrect SSID (VLAN3).

I suppose that the Cisco-AVPair check doesn't work in my configuration
Are there other mistakes?


Thanks for your answers...
Bye Antonio





You misread my previous email  you need:
radius-server vsa send authentication
^^

this makes the cisco include the ssid in the AUTHENTICATION request 
which is what you need. Presently you only have:

radius-server vsa send accounting

so the SSID is only being sent in accounting packets.

(having both is fine)

Regards,
  James

--
James J J Hooper,
Information Services
University of Bristol
--
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-30 Thread James J J Hooper




--On 30 March 2006 09:56 +0200 Antonio Matera 
<[EMAIL PROTECTED]> wrote:

In my log after the MAC address there isn't any information on the SSID.
 
In the log i haven't information on the SSID  but in my aP
configuration I have the radius-server vsa send accounting:

   ^

What is wrong? I don't understand of is the mistake.


You misread my previous email  you need:
radius-server vsa send authentication
^^

this makes the cisco include the ssid in the AUTHENTICATION request which 
is what you need. Presently you only have:

radius-server vsa send accounting

so the SSID is only being sent in accounting packets.

(having both is fine)

Regards,
  James

--
James J J Hooper,
Information Services
University of Bristol
--

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-30 Thread Antonio Matera





Hi to all,

I have modified my users file:

user1    Auth-Type := EAP,
Cisco-AVPair := "ssid=SSID1"

   Tunnel-Medium-Type = IEEE-802,

   Tunnel-Private-Group-Id = 2,

   Tunnel-Type = VLAN


user2    Auth-Type := EAP,
Cisco-AVPair := "ssid=SSID2"

   Tunnel-Medium-Type = IEEE-802,

   Tunnel-Private-Group-Id = 3,

   Tunnel-Type = VLAN


But in this way the radius authorize for example user2 on VLAN3 with
SSID1 (second user with first SSID)
In my log after the MAC address there isn't any information on the SSID.

The log is similar to the last that I have posted:


rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21,
length=137
    User-Name = "user1"
    Framed-MTU = 1400
    Called-Station-Id = "0012.dacb.8420"
    Calling-Station-Id = "000c.f135.f1ba"
    Service-Type = Login-User
    Message-Authenticator = 0x0b9afa834203d48273f35fee97e2df88
    EAP-Message = 0x020600060d00
    NAS-Port-Type = Wireless-802.11
    NAS-Port = 262
    State = 0xd2c7600f31d580fb360e134fa4977735
    NAS-IP-Address = 192.168.9.104
    NAS-Identifier = "ap"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry user1 at line 12
  modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3 
  eaptls_process returned 3 
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 5
modcall: leaving group authenticate (returns ok) for request 5
Login OK: [user1/] (from client
ap-test port 262 cli 000c.f135.f1ba)
Sending Access-Accept of id 21 to 192.168.9.104 port 1645
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "2"
    Tunnel-Type:0 = VLAN
    MS-MPPE-Recv-Key =
0x9d39ad6e0574878bf7b25b981595db0b7781b06025feb14ec89a5d6d78c4653c
    MS-MPPE-Send-Key =
0xd68f501b1e8d569699674ddf3fc266185b2d269f9e455a4653aa126b5f3ba185
    EAP-Message = 0x03060004
    Message-Authenticator = 0x
    User-Name = "user1"
Finished request 5

 
In the log i haven't information on the SSID  but in my aP
configuration I have the radius-server vsa send accounting:

.

radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.9.193 auth-port 1812 acct-port 1813 key 7
131112011F41162B2F2D3D20
radius-server host 192.168.9.104 auth-port 1645 acct-port 1646 key 7
111D1C1603
radius-server host 192.168.9.191 auth-port 1812 acct-port 1813 key 7
104D1B1C0403174602013E663629373C3700
radius-server vsa send accounting
bridge 1 route ip

..



What is wrong? I don't understand of is the mistake.

Thanks a lot
Bye all

Antonio



  
  So prevent that.  The Calling-Station-Id *should* contain the SSID
after the MAC address.  Run the server in debug mode to see this.

  Then, use a regular _expression_ to match the SSID.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread Alan DeKok

Antonio Matera <[EMAIL PROTECTED]> wrote:
> the authentication works fine but , for example, if I connect the WinXP 
> client on the SSID1 with the certificate user of the VLAN2, I have this 
> situation:
> The client is connected to the VLAN2 but the SSID of the wireless 
> connection is SSID1.

  So prevent that.  The Calling-Station-Id *should* contain the SSID
after the MAC address.  Run the server in debug mode to see this.

  Then, use a regular expression to match the SSID.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread Guy Davies

Hi Antonio,

If you're using the Cisco-AVPair as a check item, it *must* be on the
first line of the user entry. e.g.

user1Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1"
... reply items here, one per line...

If you want to configure it as a reply item, it should be...

Cisco-AVPair = "ssid=SSID1"

NOTE: =, not := for the reply item.

Rgds,

Guy

On 29/03/06, Antonio Matera <[EMAIL PROTECTED]> wrote:
> Hallo,
> now I have the users configured as follow:
>
> user1Auth-Type := EAP
> Cisco-AVPair := "ssid=SSID1",
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 2,
> Tunnel-Type = VLAN
>
> user2Auth-Type := EAP
> Cisco-AVPair := "ssid=SSID2",
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 3,
> Tunnel-Type = VLAN
>
>
> The AP has the radius-server vsa send authentication, but when I connect
> for example to the SSID2 using user1, radius write this log for a big
> number of request:
>
>
> rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167,
> length=137
> User-Name = "user1"
> Framed-MTU = 1400
> Called-Station-Id = ".."
> Calling-Station-Id = ".."
> Service-Type = Login-User
> Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746
> EAP-Message = 0x020600060d00
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1215
> State = 0x15f928ed12d8d4d1a278530b6dd26c21
> NAS-IP-Address = 192.168.9.104
> NAS-Identifier = "ap"
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 53
>   modcall[authorize]: module "preprocess" returns ok for request 53
>   modcall[authorize]: module "mschap" returns noop for request 53
> rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
> rlm_realm: No such realm "NULL"
>   modcall[authorize]: module "suffix" returns noop for request 53
>   rlm_eap: EAP packet type response id 6 length 6
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 53
> users: Matched entry user1 at line 14
>   modcall[authorize]: module "files" returns ok for request 53
> modcall: leaving group authorize (returns updated) for request 53
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 53
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/tls
>   rlm_eap: processing type tls
>   rlm_eap_tls: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>   rlm_eap_tls: ack handshake is finished
>   eaptls_verify returned 3
>   eaptls_process returned 3
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns ok for request 53
> modcall: leaving group authenticate (returns ok) for request 53
> Login OK: [user1/] (from client ap-test port
> 1215 cli 000c.f135.f1ba)
> Sending Access-Accept of id 167 to 192.168.9.104 port 1645
> Cisco-AVPair := "ssid=SSID1"
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "2"
> Tunnel-Type:0 = VLAN
> MS-MPPE-Recv-Key =
> 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011
> MS-MPPE-Send-Key =
> 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9
> EAP-Message = 0x03060004
> Message-Authenticator = 0x
> User-Name = "user1"
> Finished request 53
>
>
>
> The XP client tell that the SSID2 is connected, but if I try to navigate
> on the VLAN1 or VLAN2 i can't do it.
>
> Why the radius receive a big number of request from the client and it
> doesn't sent a failed authorization? It is possible to eliminate the
> requests after the first?
> It is possible to send to the XP client a failed authorization? At the
> moment the client doesn't understand  if it is or isn't connected to the
> SSID.
>
>
>
> Thanks a lot for your time
> Bye Antonio
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread Antonio Matera


Hallo,
now I have the users configured as follow:

user1Auth-Type := EAP
   Cisco-AVPair := "ssid=SSID1",
   Tunnel-Medium-Type = IEEE-802,
   Tunnel-Private-Group-Id = 2,
   Tunnel-Type = VLAN

user2Auth-Type := EAP
   Cisco-AVPair := "ssid=SSID2",
   Tunnel-Medium-Type = IEEE-802,
   Tunnel-Private-Group-Id = 3,
   Tunnel-Type = VLAN


The AP has the radius-server vsa send authentication, but when I connect 
for example to the SSID2 using user1, radius write this log for a big 
number of request:



rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, 
length=137

   User-Name = "user1"
   Framed-MTU = 1400
   Called-Station-Id = ".."
   Calling-Station-Id = ".."
   Service-Type = Login-User
   Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746
   EAP-Message = 0x020600060d00
   NAS-Port-Type = Wireless-802.11
   NAS-Port = 1215
   State = 0x15f928ed12d8d4d1a278530b6dd26c21
   NAS-IP-Address = 192.168.9.104
   NAS-Identifier = "ap"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 53
 modcall[authorize]: module "preprocess" returns ok for request 53
 modcall[authorize]: module "mschap" returns noop for request 53
   rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 53
 rlm_eap: EAP packet type response id 6 length 6
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 53
   users: Matched entry user1 at line 14
 modcall[authorize]: module "files" returns ok for request 53
modcall: leaving group authorize (returns updated) for request 53
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 53
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: ack handshake is finished
 eaptls_verify returned 3
 eaptls_process returned 3
 rlm_eap: Freeing handler
 modcall[authenticate]: module "eap" returns ok for request 53
modcall: leaving group authenticate (returns ok) for request 53
Login OK: [user1/] (from client ap-test port 
1215 cli 000c.f135.f1ba)

Sending Access-Accept of id 167 to 192.168.9.104 port 1645
   Cisco-AVPair := "ssid=SSID1"
   Tunnel-Medium-Type:0 = IEEE-802
   Tunnel-Private-Group-Id:0 = "2"
   Tunnel-Type:0 = VLAN
   MS-MPPE-Recv-Key = 
0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011
   MS-MPPE-Send-Key = 
0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9

   EAP-Message = 0x03060004
   Message-Authenticator = 0x
   User-Name = "user1"
Finished request 53



The XP client tell that the SSID2 is connected, but if I try to navigate 
on the VLAN1 or VLAN2 i can't do it.


Why the radius receive a big number of request from the client and it 
doesn't sent a failed authorization? It is possible to eliminate the 
requests after the first?
It is possible to send to the XP client a failed authorization? At the 
moment the client doesn't understand  if it is or isn't connected to the 
SSID.




Thanks a lot for your time
Bye Antonio
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread Guy Davies

The Cisco-AVPair mechanism is a mutation of the standard VSA mechanism.  Cisco
uses a single Vendor ID but wanted to use many VSAs.  The limit with a
single Vendor ID is 255 (IIRC).

So, Cisco's Vendor Specific Attribute number 1 is "Cisco-AVPair". 
They then create "sub-VSAs" within that VSA using the textual syntax
Cisco-AVPair="Sub-VSA-name=Sub-VSA-value"

To get a list of relevant VSAs, you really need to refer to Cisco's
documentation.

Rgds,

Guy

On 29/03/06, James J J Hooper <[EMAIL PROTECTED]> wrote:
>
>
> --On Wednesday, March 29, 2006 12:20:57 +0200 Antonio Matera
> <[EMAIL PROTECTED]> wrote:
>
> > Hallo, thanks for the replies.
> > If I insert only the Cisco-AVPair  attribute, it doesn't work...
> >
> > Now I try the "radius-server vsa send authentication" command...
> > It is a AP console command? It is possible to set this command from the
> > AP web interface?
> > I haven't experience with the console setting
>
> yes, either at the console or go to this url:
> 
>
> (you may need to use http instead of https)
>
> Regards,
>   James
>
> --
> James J J Hooper,
> Information Services
> University of Bristol
> --
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread James J J Hooper




--On Wednesday, March 29, 2006 12:20:57 +0200 Antonio Matera 
<[EMAIL PROTECTED]> wrote:



Hallo, thanks for the replies.
If I insert only the Cisco-AVPair  attribute, it doesn't work...

Now I try the "radius-server vsa send authentication" command...
It is a AP console command? It is possible to set this command from the
AP web interface?
I haven't experience with the console setting


yes, either at the console or go to this url:


(you may need to use http instead of https)

Regards,
 James

--
James J J Hooper,
Information Services
University of Bristol
--
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread Antonio Matera


Hallo, thanks for the replies.
If I insert only the Cisco-AVPair  attribute, it doesn't work...

Now I try the "radius-server vsa send authentication" command...
It is a AP console command? It is possible to set this command from the 
AP web interface?

I haven't experience with the console setting


Another question:
Where can I find the list of the user attributes for freeradius?
Here http://www.freeradius.org/rfc/attributes.html for example I can't 
find the Cisco-AVPair attribute...


Thanks a lot
Bye Antonio




James J J Hooper ha scritto:



--On Wednesday, March 29, 2006 09:11:13 +0100 Guy Davies 
<[EMAIL PROTECTED]> wrote:




You *may* need to change them from being check attributes to reply
attributes if your AP doesn't actually send those attributes with an
Access-Request.  In that case, you send the Cisco-AVPair =
"SSID=SSIDn" back to the AP and if it doesn't match, then it can
locally fail to authorize the user.



I don't think 1200's do send the attribute by default in the 
access-request. To make it do so, use this command:

radius-server vsa send authentication

Regards,
 James

--
James J J Hooper,
Information Services
University of Bristol
--
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html




--

--
Antonio Matera
CREATE-NET
Via Solteri, 38 - 38100 Trento
e-mail: [EMAIL PROTECTED]
phone: +39 0461 408400   ext. 305
fax: +39 0461 421157
www.create-net.org
--

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread James J J Hooper




--On Wednesday, March 29, 2006 09:11:13 +0100 Guy Davies 
<[EMAIL PROTECTED]> wrote:




You *may* need to change them from being check attributes to reply
attributes if your AP doesn't actually send those attributes with an
Access-Request.  In that case, you send the Cisco-AVPair =
"SSID=SSIDn" back to the AP and if it doesn't match, then it can
locally fail to authorize the user.



I don't think 1200's do send the attribute by default in the 
access-request. To make it do so, use this command:

radius-server vsa send authentication

Regards,
 James

--
James J J Hooper,
Information Services
University of Bristol
--
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

2006-03-29 Thread Guy Davies

Yes, just use the Cisco AV Pair to say

user1  Auth-Type := EAP, Cisco-AVPair := "SSID=SSID1"

user2  Auth-Type := EAP, Cisco-AVPair := "SSID=SSID2"

That would force user1 to only associate to SSID1 and user2 to only
associate to SSID2.

You *may* need to change them from being check attributes to reply
attributes if your AP doesn't actually send those attributes with an
Access-Request.  In that case, you send the Cisco-AVPair =
"SSID=SSIDn" back to the AP and if it doesn't match, then it can
locally fail to authorize the user.

Rgds,

Guy

On 29/03/06, Antonio Matera <[EMAIL PROTECTED]> wrote:
> Hallo,
> I have a problem with the authentication on different VLAN.
>
> I write for you my example:
>
> I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and
> SSID2) on my Cisco 1200 AP. I have the same authentication on both
> connection (EAP-TLS).
>
> In my users file I have two user:
>
> user1Auth-Type := EAP
>  Tunnel-Medium-Type = IEEE-802,
>  Tunnel-Private-Group-Id = 2,
>  Tunnel-Type = VLAN
>
> user2Auth-Type := EAP
>  Tunnel-Medium-Type = IEEE-802,
>  Tunnel-Private-Group-Id = 3,
>  Tunnel-Type = VLAN
>
> the authentication works fine but , for example, if I connect the WinXP
> client on the SSID1 with the certificate user of the VLAN2, I have this
> situation:
> The client is connected to the VLAN2 but the SSID of the wireless
> connection is SSID1.
>
> It is possible to prevent the connection to the select SSID if the
> certificate of the user is incorrect?
>
> Thanks, bye
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

VLAN and SSID

2006-03-29 Thread Antonio Matera


Hallo,
I have a problem with the authentication on different VLAN.

I write for you my example:

I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and 
SSID2) on my Cisco 1200 AP. I have the same authentication on both 
connection (EAP-TLS).


In my users file I have two user:

user1Auth-Type := EAP
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 2,
Tunnel-Type = VLAN

user2Auth-Type := EAP
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Type = VLAN

the authentication works fine but , for example, if I connect the WinXP 
client on the SSID1 with the certificate user of the VLAN2, I have this 
situation:
The client is connected to the VLAN2 but the SSID of the wireless 
connection is SSID1.


It is possible to prevent the connection to the select SSID if the 
certificate of the user is incorrect?


Thanks, bye
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

Re: VLAN and SSID

VLAN and SSID

13 matches

Site Navigation

Mail list logo

Footer information