Re: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment
On Thu, 7 Jul 2011, John Kaftan wrote: I have fantasized about doing this but have feared the VLAN change would not prompt the clients to ask for a new IP. Looks like you have a different issue but do you know, if you get the VLAN switching working, how the clients will realize they need to ask for another IP? Nah, that's fine; the EAP/802.1X authentication stuff happens at layer 2 with the access point (which relays to radius); the client doesn't DHCP for an IP address until the supplicant has successfully authenticated (and hence the client been switched into the appropriate VLAN), so it's all fine in principle, and sometimes even in practice! Other people do the same thing with other equipment. (If you are particularly interested in this single SSID idea for both visitors/local users, there are at least a couple of papers at: http://www.ja.net/services/authentication-and-authorisation/janet-roaming/documentation.html ). As for troubleshooting have you captured any packets between the controller and your LAN infrastructure to see if your wireless is tagging the packets? Do you have reporting at the controller that can tell you if it is receiving the attribute correctly? You could capture the RADIUS packet at it leaves the server to see if the attribute is being passed to your controller as you believe it is. Yes, at the Radius server I can snoop the transaction between it and the access point, and I can see the attributes being returned to the AP. As I say, it sometimes does work, but mostly doesn't, and as far as I can reasonably tell the Proxim AP is the weak point. I can't get anything useful out of the AP at a low-level to see if it acknowledged/acted upon these attributes though. Jethro. John On 7/7/2011 11:47 AM, Jethro R Binks wrote: Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Proxim APs and 802.1X RADIUS VLAN assignment
The 802.1X authentication and VLAN assignment occurs before the client even get an ip address. We are implementing 802.1X with Aruba this summer. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: John Kaftan [mailto:jkaf...@utica.edu] Sent: Thursday, July 07, 2011 7:31 PM Subject: Re: Proxim APs and 802.1X RADIUS VLAN assignment I have fantasized about doing this but have feared the VLAN change would not prompt the clients to ask for a new IP. Looks like you have a different issue but do you know, if you get the VLAN switching working, how the clients will realize they need to ask for another IP? As for troubleshooting have you captured any packets between the controller and your LAN infrastructure to see if your wireless is tagging the packets? Do you have reporting at the controller that can tell you if it is receiving the attribute correctly? You could capture the RADIUS packet at it leaves the server to see if the attribute is being passed to your controller as you believe it is. John On 7/7/2011 11:47 AM, Jethro R Binks wrote: Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Proxim APs and 802.1X RADIUS VLAN assignment
Dave, If you use Aruba's user roles named the same as the Filter-Id, you can use one rule Filter-ID value-of set role to set the user role to the Filter-Id value. This is very useful if you are using many Filter-Id values. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Dave Barr [mailto:d...@cornell.edu] Sent: Thursday, July 07, 2011 2:51 PM Subject: Re: Proxim APs and 802.1X RADIUS VLAN assignment I can confirm your goal is achievable just don't know about your particular implementation; for us, the RADIUS server is programmed to send a different value for the RADIUS attribute Filter-Id based on the successful authentication from various proxies. With this information provided to the controller, the vLAN is set to a particular value. This is the working bit of configuration in the aaa server-group on the controller... set vlan condition Filter-Id contains eduroam-noncornell set-value 1900 set vlan condition Filter-Id contains eduroam-cornell set-value 1901 ...that matches client to the vLAN with security premises expected for those clients. We utilize Aruba Networks for the Wi-Fi system and OSC Radiator for the RADIUS server. We have clients utilizing eduroam here from Cornell as well as other participating institutions and the reciprocal is working out as well.Hope this was helpful... Dave Barr *** Cornell Information Technologies http://www.cit.cornell.edu David Barr - Information Technology Specialist Email: d...@cornell.edu Phone: 607 255-4703 *** -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jethro R Binks Sent: Thursday, July 07, 2011 11:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment
Yeah that makes sense. Thanks. The last time I looked at this I was thinking about having them switch VLANs after authenticating via the captive portal not 802.1x. John -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W Sent: Friday, July 08, 2011 8:04 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment The 802.1X authentication and VLAN assignment occurs before the client even get an ip address. We are implementing 802.1X with Aruba this summer. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: John Kaftan [mailto:jkaf...@utica.edu] Sent: Thursday, July 07, 2011 7:31 PM Subject: Re: Proxim APs and 802.1X RADIUS VLAN assignment I have fantasized about doing this but have feared the VLAN change would not prompt the clients to ask for a new IP. Looks like you have a different issue but do you know, if you get the VLAN switching working, how the clients will realize they need to ask for another IP? As for troubleshooting have you captured any packets between the controller and your LAN infrastructure to see if your wireless is tagging the packets? Do you have reporting at the controller that can tell you if it is receiving the attribute correctly? You could capture the RADIUS packet at it leaves the server to see if the attribute is being passed to your controller as you believe it is. John On 7/7/2011 11:47 AM, Jethro R Binks wrote: Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: Proxim APs and 802.1X RADIUS VLAN assignment
That's a good idea too, we just haven't developed a requirement for more than two conditions so far.I suppose you could have a Filter-ID returned for network-quarantine for systems that are discovered to have malware and place the client in a walled garden role until repaired. -djb From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Osborne, Bruce W [bosbo...@liberty.edu] Sent: Friday, July 08, 2011 8:06 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment Dave, If you use Aruba's user roles named the same as the Filter-Id, you can use one rule Filter-ID value-of set role to set the user role to the Filter-Id value. This is very useful if you are using many Filter-Id values. Bruce Osborne Wireless Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY 40 Years of Training Champions for Christ: 1971-2011 -Original Message- From: Dave Barr [mailto:d...@cornell.edu] Sent: Thursday, July 07, 2011 2:51 PM Subject: Re: Proxim APs and 802.1X RADIUS VLAN assignment I can confirm your goal is achievable just don't know about your particular implementation; for us, the RADIUS server is programmed to send a different value for the RADIUS attribute Filter-Id based on the successful authentication from various proxies. With this information provided to the controller, the vLAN is set to a particular value. This is the working bit of configuration in the aaa server-group on the controller... set vlan condition Filter-Id contains eduroam-noncornell set-value 1900 set vlan condition Filter-Id contains eduroam-cornell set-value 1901 ...that matches client to the vLAN with security premises expected for those clients. We utilize Aruba Networks for the Wi-Fi system and OSC Radiator for the RADIUS server. We have clients utilizing eduroam here from Cornell as well as other participating institutions and the reciprocal is working out as well.Hope this was helpful... Dave Barr *** Cornell Information Technologies http://www.cit.cornell.edu David Barr - Information Technology Specialist Email: d...@cornell.edu Phone: 607 255-4703 *** -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jethro R Binks Sent: Thursday, July 07, 2011 11:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can
Proxim APs and 802.1X RADIUS VLAN assignment
Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment
I've done this with cisco wireless and radius. I believe the radius attruibute passed fron the radius server to the the wirelees session is the 'tunnel-private-id'. In the cisco wireless case I had to explicity allow this attribute to change the networking tagging in order for it to effect the traffic. sorry no proxim experience. |Bruce Boardman, Network Engineer, Syracuse University - 315 889-1667 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jethro R Binks [jethro.bi...@strath.ac.uk] Sent: Thursday, July 07, 2011 11:47 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment
I can confirm your goal is achievable just don't know about your particular implementation; for us, the RADIUS server is programmed to send a different value for the RADIUS attribute Filter-Id based on the successful authentication from various proxies. With this information provided to the controller, the vLAN is set to a particular value. This is the working bit of configuration in the aaa server-group on the controller... set vlan condition Filter-Id contains eduroam-noncornell set-value 1900 set vlan condition Filter-Id contains eduroam-cornell set-value 1901 ...that matches client to the vLAN with security premises expected for those clients. We utilize Aruba Networks for the Wi-Fi system and OSC Radiator for the RADIUS server. We have clients utilizing eduroam here from Cornell as well as other participating institutions and the reciprocal is working out as well.Hope this was helpful... Dave Barr *** Cornell Information Technologies http://www.cit.cornell.edu David Barr - Information Technology Specialist Email: d...@cornell.edu Phone: 607 255-4703 *** -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jethro R Binks Sent: Thursday, July 07, 2011 11:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Proxim APs and 802.1X RADIUS VLAN assignment
I have fantasized about doing this but have feared the VLAN change would not prompt the clients to ask for a new IP. Looks like you have a different issue but do you know, if you get the VLAN switching working, how the clients will realize they need to ask for another IP? As for troubleshooting have you captured any packets between the controller and your LAN infrastructure to see if your wireless is tagging the packets? Do you have reporting at the controller that can tell you if it is receiving the attribute correctly? You could capture the RADIUS packet at it leaves the server to see if the attribute is being passed to your controller as you believe it is. John On 7/7/2011 11:47 AM, Jethro R Binks wrote: Hello all, I've been having problems using 802.1X authentication, or more specifically, assignment of VLANs based on the RADIUS attributes. Goal is to have one SSID, eduroam, to which both visitors and local users authenticate when using the wireless service. Visitors remain in the VLAN to which the SSID is associated, and local users onsite are switched into a different VLAN based on attributes from the Radius server backend. In brief: I am running the latest v4.0.12 code (but had problems with previous versions too). I believe I have followed to the letter the Proxim knowledgebase article (which was updated a while ago (VLAN Assignment by RADIUS). I have tested with a variety of clients (Windows laptop, Windows mobile, Apple i-things). With no VLAN assignment (i.e., none of the Tunnel- attributes being sent by RADIUS), it usually works OK (sometimes with a couple of retries); but the local user remains in the visitor VLAN as expected. With the VLAN assignment enabled, it will usually NOT work. Once in a while you might get lucky and get connected to the right VLAN and get an address from DHCP, but it is very inconsistent and unreliable. As far as I can surmise, the problem is likeliest to lie with the AP. Since it does occasionally work, the basic infrastructure appears to be sound. So, I'm reaching out there to find if there are any other people doing something this with Proxim APs (AP4000 in particular), to see if you have seen these problems with other vendor or found a fix. Or, alternatively, maybe it isn't the AP, but something else you can suggest that might cause this inconsistent behaviour. Thanks for any thoughts, Jethro. . . . . . . . . . . . . . . . . . . . . . . . . . Jethro R Binks, Network Manager, Information Services Directorate, University Of Strathclyde, Glasgow, UK The University of Strathclyde is a charitable body, registered in Scotland, number SC015263. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.