Using freeradius and 802.1x for dynamic VLAN

lvizcardof at unsa.edu.pe lvizcardof at unsa.edu.pe
Mon Oct 15 23:03:03 CEST 2007


Hi,

>> carlos  Auth-Type = EAP, User-Password == "carlos"
>           ^^^^^^^^^^^^^^^^
I remove the parte indicated               carlos  User-Password == "carlos"
The problem continue i did thefollowing:
In my swich I form three vlan 2,3,4 After I signed ip to the vlans and  
ports too.
This is all the configuration from the switch:
===========================
console# show running-config
interface ethernet g1
exit
vlan database
vlan 2-4
exit
interface range ethernet g(2-8)
switchport access vlan 2
exit
interface range ethernet g(9-14)
switchport access vlan 3
exit
interface range ethernet g(15-20)
switchport access vlan 4
exit
dot1x system-auth-control
interface range ethernet g(2-8,10-14,16-20)
dot1x port-control auto
exit
interface range ethernet g(2-8,10-14,16-20)
dot1x re-authentication
exit
interface vlan 2
ip address 192.168.2.2 255.255.255.0
exit
interface vlan 3
ip address 192.168.3.3 255.255.255.0
exit
interface vlan 4
ip address 10.20.10.251 255.255.255.0
exit
ip default-gateway 10.20.10.1
radius-server host 10.20.10.13 auth-port  1645 timeout  3
radius-server host 10.20.10.251 auth-port 1645 timeout 3 retransmit 3  key mi
secreto
radius-server host 192.168.2.2 auth-port 1645 timeout 3 retransmit 3  key mis
ecreto
radius-server host 192.168.3.3 auth-port 1645 timeout 3 retransmit 3  key mis
ecreto
radius-server key misecreto
aaa authentication dot1x default radius
username admin password 7d8c9c8b116cdfe3fb091f4c1ac684de level 15 encrypted

Vlan       Name                   Ports                Type     Authorization
---- ----------------- --------------------------- ------------ -------------
  1           1             g(1,21-24),ch(1-8)         other       Required
  2           2                   g(1-8)             permanent     Required
  3           3                  g(1,9-14)           permanent     Required
  4           4                  g(15-20)            permanent     Required

console# show ip interface


   Gateway IP Address        Activity status       Type
----------------------- ----------------------- --------
10.20.10.1              Active                  static


       IP Address                 I/F             Type
----------------------- ---------------------- ---------
10.20.10.251/24         vlan 4                 Static
192.168.2.2/24          vlan 2                 Static
192.168.3.3/24          vlan 3                 Static
===============================================

How you see this is the configuration from my switch.
In the file users I have the following configuration.
+++++++++++++++++++++++++++++++++++++++++++++
carlos     User-Password == "carlos"
         Service-Type = Framed-User,
         Tunnel-Type = VLAN,
         Tunnel-Medium-Type = IEEE-802,
         Tunnel-Private-Group-Id = 2

saul    User-Password == "saul"
         Service-Type = Framed-User,
         Tunnel-Type = VLAN,
         Tunnel-Medium-Type = IEEE-802,
         Tunnel-Private-Group-ID = 4

+++++++++++++++++++++++++++++++++++++++++++++

Now the problem is that: The PC client (WindowsXP) is connected to the  
port 17 for that it is included in the vlan 4. When I intro the user:  
carlos and his password: carlos it shouldn't autenticate becauses it  
user is asigned to the vlan 2. But the problem is that the user is  
autenticate and has access to the vlan4.

My conclution is that: Tunnel-Type = VLAN,
                        Tunnel-Medium-Type = IEEE-802,
                        Tunnel-Private-Group-Id = 2
don work.

  I probably need to configure something.





----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Freeradius-Users mailing list