VLAN Mapping with MS-CHAP

Phil Mayers p.mayers at imperial.ac.uk
Fri May 5 11:46:54 CEST 2006


robiwan at arcor.de wrote:
> Dear all,
> I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst 3750 Switch, depending on their Account.
> And i use two differnt authentication methods: MD5-Challange and MS-CHAP.
> 
> User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange
> User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via MS-CHAP
> 
> Now both authentication works (thanks to all again) but i have difficulties to map user roka in his right VLAN.
> 
> Here is my users file:
> -----------------------snip------------------------
> 
> hugo            User-Password == "hugo01"
>                 Tunnel-Type = VLAN,
>                 Tunnel-Medium-Type = 6,
>                 Tunnel-Private-Group-ID = 50
> 
> roka            Auth-Type := MS-CHAP
>                 Tunnel-Type = VLAN,
>                 Tunnel-Medium-Type = 6,
>                 Tunnel-Private-Group-ID = 40

Do NOT set Auth-Type. If your server is properly configured, it is not 
needed and can cause problems. In this case, it should not be causing 
the problem.

Just to check - that's the ENTIRE users file, yes?

> 
> ---------------------snap--------------------------
> 
> Here is the output of my radiusd with user hugo
> The Cisco-Switch map user hugo in VLAN 50:
> 
> Login OK: [hugo/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-5D-84-AE-CA)
> Sending Access-Accept of id 210 to 10.187.0.15 port 1645
>         Tunnel-Type:0 = VLAN
>         Tunnel-Medium-Type:0 = IEEE-802
>         Tunnel-Private-Group-Id:0 = "50"
>         EAP-Message = 0x03010004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "hugo"
> Finished request 1
> Going to the next request
> 
> 
> Here is the output with user roka
> The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the Tunnel informations:
> 
> Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-AA-84-AE-CA)
> Sending Access-Accept of id 220 to 10.187.0.15 port 1645
>         Framed-IP-Address = 255.255.255.254
>         Framed-MTU = 576
>         Service-Type = Framed-User
>         MS-MPPE-Recv-Key = 0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2
>         MS-MPPE-Send-Key = 0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d
>         EAP-Message = 0x03090004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "WINLAB\\roka"
> Finished request 9
> Going to the next request

This is not helpful. Send the full debugging output prior to this, so we 
can see what modules matched. If you're going to trim, start from the 
point the radius server is idling, not the very last packet.

In all probability, your problem is that you're using PEAP rather than 
just MS-CHAP, and the tunnel attributes are being set on the inner 
MS-CHAP reply, but not being copied to the outer EAP reply.

Make sure you have this in eap.conf:

eap {
   # rest of config, then
   peap {
     # rest of config, then
     use_tunneled_reply = yes
   }
}

You may also need:

eap {
   # rest of config, then
   peap {
     # rest of config, then
     copy_request_to_tunnel = yes
     use_tunneled_reply = yes
   }
}

...if you want to match on other attributes in the request than username 
at a later date.
> 
> 
> So, any ideas what to do, that for user roka my radiusd also say to my Switch the Tunnel things:
> 
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "40"
> 

That's expected and normal. See RFC 2868. The number is a tag, as you 
can specify multiple tunnel-* attribute set. The tag groups them 
together, and FreeRadius sets it to zero for the common case of one set.



More information about the Freeradius-Users mailing list