Problem with Cisco-AVPair

Antonio Matera antonio.matera at create-net.it
Wed Apr 5 10:11:09 CEST 2006


Hi all,
I have a problem with the user authentication  with  EAP  TLS  or PEAP 
on different  SSID and VLAN.
My objective is to authenticate one user only on a select SSID.
At the moment I have this user with EAP-TLS, but if I use PEAP and I 
insert a user password, the problem is the same:

TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1"
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = 2,
           Tunnel-Type = VLAN

user2    Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3"
           Tunnel-Medium-Type = IEEE-802,
           Tunnel-Private-Group-Id = 3,
           Tunnel-Type = VLAN


and the log is the following:

rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, 
length=166
       User-Name = "TEST4"
       Framed-MTU = 1400
       Called-Station-Id = "0012.dacb.8420"
       Calling-Station-Id = "000c.f135.f1ba"
       Cisco-AVPair = "ssid=VLAN3"
       Service-Type = Login-User
       Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46
       EAP-Message = 0x020600060d00
       NAS-Port-Type = Wireless-802.11
       Cisco-NAS-Port = "260"
       NAS-Port = 260
       State = 0x0491685cf8ece3184d685dedfedbb3d4
       NAS-IP-Address = 192.168.9.104
       NAS-Identifier = "ap"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
 modcall[authorize]: module "preprocess" returns ok for request 18
 modcall[authorize]: module "mschap" returns noop for request 18
   rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 18
 rlm_eap: EAP packet type response id 6 length 6
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 18
   users: Matched entry TEST4 at line 11
 modcall[authorize]: module "files" returns ok for request 18
modcall: leaving group authorize (returns updated) for request 18
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 18
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: ack handshake is finished
 eaptls_verify returned 3
 eaptls_process returned 3
 rlm_eap: Freeing handler
 modcall[authenticate]: module "eap" returns ok for request 18
modcall: leaving group authenticate (returns ok) for request 18
Login OK: [TEST4/<no User-Password attribute>] (from client ap-test port 
260 cli 000c.f135.f1ba)
Sending Access-Accept of id 19 to 192.168.9.104 port 1645
       Tunnel-Medium-Type:0 = IEEE-802
       Tunnel-Private-Group-Id:0 = "2"
       Tunnel-Type:0 = VLAN
       MS-MPPE-Recv-Key = 
0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da
       MS-MPPE-Send-Key = 
0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161
       EAP-Message = 0x03060004
       Message-Authenticator = 0x00000000000000000000000000000000
       User-Name = "TEST4"
Finished request 18



The user TEST4 is authenticated with the bad SSID.  the check 
Cisco-AVPair := "ssid=SSID1" does't work.
What is wrong? I read a lot of mail on this mailing list, I tried the 
option with_cisco_hack = yes in the radiusd.conf file but but the 
problem is always the same.
I don't understand what is the problem...

Can someone help me?


Thanks a lot to all

Bye Antonio



More information about the Freeradius-Users mailing list