802.1x dynamic vlan assignment not assigning VLAN

Martijn Craeghs martijncr at msn.com
Tue May 12 13:11:30 CEST 2015 

I recently dived into 802.1x authentication with dynamic vlan assigment.

My current set up contains of:
- A client
- A SG220 cisco switch (the supplicant)
- A freeradius (authenticator) based on an LDAP AD
- A fortigate for firewall purposes and acting as DHCP server.

As far as authentication goes it works. My user get's authenticated and
recieves an Access-Accept message in this form.

Sending Access-Accept of id 12 to xxx.xxx.xxx.xxx port 6103
Tunnel-Private-Group-Id:0 = "vlan_name"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
MS-MPPE-Recv-Key =
0xd899b158c44adb59894a8ad4c7554010571fffe1c3ef87f74db910c482c2be82
MS-MPPE-Send-Key =
0xe094d1c3e2fb5d5153963089c533278338d655284858156b0fb2e78e72ab7060
EAP-Message = 0x03320004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "username"

I've added the tunnel attributes to my LDAP directory and like the previous
freeradius debug message show it's stored in the radius package.

I've read countless of threads where you should add "use_tunneled_reply =
yes" to your eap.conf file which i have done as shown below:

  eap {
                use_tunneled_reply = yes
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                max_sessions = 4096
                md5 {
                }
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs
                        private_key_password = whatever
                        private_key_file = ${certdir}/server.key
                        pem_file_type = yes
                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = /dev/urandom
                        CA_path = ${cadir}
                        cipher_list = "DEFAULT"
                        make_cert_command = "${certdir}/bootstrap"
                        cache {
                              enable = no
                              max_entries = 255
                        }
                        verify {
                        }
                }
                ttls {
                        virtual_server = "inner-tunnel"
                }
                peap {
                        virtual_server = "inner-tunnel"
                }
                mschapv2 {
                }
        }

As far as switch config goes for an interface:


encrypted radius-server host xxx.xxx.xxx.xxx auth-port 1812 acct-port 0 key
"some hash"== priority 1 usg-type 802.1x
aaa authentication enable default radius
dot1x system-auth-control

vlan 50
name "vlan_name"

interface gi1
switchport mode access
dot1x port-control auto
spanning-tree portfast

The switch vlan's get their dhcp from fortigate where the vlan's are also
created.

I've only got it working to the point where i've set static access ports.

I've ran out of options and forums to look through at this point.


Would be glad if someone could give me a push in the right direction. Not
even sure if i should look for the problem on the freeradius side or the
switch side.

If you need more files or logs just give me a poke.

kind regards

More information about the Freeradius-Users mailing list