Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure

James J J Hooper jjj.hooper at bristol.ac.uk
Wed Aug 11 07:46:56 CEST 2010 


--On 10 August 2010 17:24 -0500 Thomas Donnelly <tad1214 at gmail.com> wrote:

> Hello All,
>
> There are quite a few components coming into play here so I'm not exactly
> sure whats breaking where.
>
> Let me start with explaining our setup:
>
> We use cisco 1142 agn lightweight access points connected to a 4402
> Wireless Lan Controller
>
> This controller is doing radius authentication off of Freeradius 1.1.8
> (with FreeBSD as the Host OS) on our primary ssid.
> When people authenticate it replies with Tunnel-Private-Group-ID based on
> their username/group.
> This puts them in the correct vlan for their department.
>
> This works perfectly fine with our Apple Laptops, iPhones, and iPads.
>
> However when I join with my Android phone or my n900 (maemo), I get put
> in the default vlan for the SSID. After some digging I found the
> following:
>
> When joining from the Apple devices, the User-Name comes accross as
>
> Tue Aug 10 17:13:03 2010
>         User-Name = "someone at somehwere.net"
>
> When Joining from my Android, it comes accross as:
>
> Tue Aug 10 11:26:53 2010
>          User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
>
> (A few chars changed to prevent the username from being figured out)
>
> This somehow is authenticating correctly because I get an IP address (in
> the incorrect vlan) and can surf the net, and if I mistype the password I
> get an authentication failure.
> However when it tries to do a match for the username to determine their
> group/vlan it fails because we don't have any users with that user name.
>
> Has anyone seen this before or have any leads I should follow?

Hi Tom,

Several small devices (phones etc) send a string such as above as the 
*outer* user-name - if you don't like this you need to re-config the device 
where possible [1].

More importantly, it seems you might be deciding VLAN based on the outer 
user-name in the request - this is bad (arbitrarily spoofable). You should 
use the EAP inner user-name.

* Upgrading to 2.1.x will make the inner/outer sessions much easier to 
configure and verify.

* Running radiusd -X [& post here] will confirm if this is the problem.

[1] Maemo: After configuring, you need to click the Advanced-settings 
button, change to the EAP page, select 'Use manual user name' and enter 
whatever you want in the box.
( 
<http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies> 
)

Regards,
  James

--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk 	 	http://www.jamesjj.net
--

More information about the Freeradius-Users mailing list