Cisco AP Vlan assignment when proxying EAP-PEAP?

Palmer J.D.F. J.D.F.Palmer at swansea.ac.uk
Tue Nov 8 17:52:38 CET 2005 

Cheers Josh. :)

That's pretty much the way we do the Roanmode stuff.
Just wasn't sure being EAP whether you could mess around with the return
packet.

Do you have any cunning solutions to how you might get around the reject
issue?  
I'd imagine it's quite a common scenario, IE wanting to let users know that
they are doing something wrong as opposed to just rejecting them. 
This must be one of the only redeeming features of web redirect. :-D

Thanks,
Jezz.


-----Original Message-----
From: freeradius-users-bounces at lists.freeradius.org
[mailto:freeradius-users-bounces at lists.freeradius.org] On Behalf Of Josh
Howlett
Sent: 08 November 2005 16:30
To: FreeRadius users mailing list
Subject: Re: Cisco AP Vlan assignment when proxying EAP-PEAP?

Hi Jezz,

Palmer J.D.F. wrote:
> Hi,
> 
> Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet
> to an IAS server via FreeRADIUS (I can do this bit), then, set the user's
> VLAN information within FreeRADIUS in the access-accept packet returned to
> the AP?

Yes - write a script that outputs the relevant attributes to stdout, and 
specify it in an "exec" clause in radiusd.conf, making sure you set 
packet_type = access-accept. Invoke the exec clause by placing it in 
post-proxy section. For example (assuming you've got the proxying working):

assign-vlan.sh:

  #!/bin/bash

  VLAN = "123"

  # We can also grab the RADIUS username attribute from the environment.
  # USER = $USER_NAME
  # This might be useful if you wanted to drop users
  # into different VLANs.
  # if ( $USER == "bujfxh at bristol.ac.uk ); then
  #  VLAN = "666"
  # fi

  echo "Tunnel-Medium-Type = 802"
  echo "Tunnel-Type = VLAN"
  echo "Tunnel-Private-Group-ID = $VLAN"

  exit 0

radiusd.conf:

  exec assign-vlan {
	program = "/path/to/assign-vlan.sh"
	input_pairs = proxy-reply
	output_pairs = proxy-reply
	wait = yes
	packet_type = Access-Accept
  }

  authorize {
	...
	# Make sure you put this AFTER the clause that invokes proxying
	assign-vlan
	...
  }

> Also, is there a way to return an access-accept with a 'dirty' VLAN ID,
even
> if the IAS server rejects the user?  The idea being that the user would be
> put into a dead end VLAN so they could get info on how to register to use
> the service.

No; only a couple of attributes are permitted in Access-Reject packets.

I don't think it would be possible to "catch" Access-Rejects from IAS 
and cunningly turn them into Access-Accepts, either :-/ (well, it would 
be possible, but you'd need to hack FR to do this).

josh.

> Many thanks,
> Jezz Palmer.
> 
> ****************************************
> Jezz Palmer.
> Internet Systems Officer.
> Library and Information Services
> University of Wales, Swansea
> Singleton Park
> Swansea
> SA2 8PP
> ****************************************
> 
> 
> - 
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list