<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Using FreeRadius to override VLAN Assignment</TITLE>
<META content="text/html; charset=us-ascii" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19170"></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=246223918-04012012><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=246223918-04012012><FONT color=#0000ff
size=2 face=Arial>A few things -- I do note the case doesn't match (-id vs
-Id) in your original paste. Second, even though the value of 16 is
not what you want, even if you get that fixed, note that it is not being copied
to the outer reply (e.g. with use_tunelled_reply in peap, or maybe you are
filtering it away in ./attrs.)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=246223918-04012012><FONT color=#0000ff
size=2 face=Arial></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=246223918-04012012><FONT color=#0000ff
size=2 face=Arial>(Also note that once you get that working, it should work, but
there are some Cisco devices that instead want Cisco-AVPair +=
"tunnel-private-group-id=XXX", though I have only seen this on wired switches
not APs.)</FONT></SPAN></DIV>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B>
freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org
[mailto:freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org] <B>On
Behalf Of </B>McSparin, Joe<BR><B>Sent:</B> Wednesday, January 04, 2012 1:37
PM<BR><B>To:</B> FreeRadius users mailing list<BR><B>Subject:</B> RE: Using
FreeRadius to override VLAN Assignment<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=308073318-04012012><FONT size=2
face=Arial>Here is my radiusd -X it looks to me like the Access-Accept is not
returning the vlan with it.</FONT></SPAN></DIV><SPAN
class=308073318-04012012><FONT color=#0000ff size=2 face=Arial>
<DIV dir=ltr align=left><BR># Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel<BR>} # server
inner-tunnel<BR>[peap] Got tunneled reply code
2<BR> Tunnel-Type:0 =
VLAN<BR> Tunnel-Medium-Type:0 =
IEEE-802<BR> Tunnel-Private-Group-Id:0
= "16" </DIV>
<DIV dir=ltr align=left>
MS-MPPE-Encryption-Policy =
0x00000001<BR>
MS-MPPE-Encryption-Types =
0x00000006<BR> MS-MPPE-Send-Key =
0xa15daac8db91138c9543ff1dd79193d8<BR>
MS-MPPE-Recv-Key =
0x5b23ada7251bf55e939f78211bc91ee9<BR>
EAP-Message = 0x030a0004<BR>
Message-Authenticator =
0x00000000000000000000000000000000<BR>
User-Name = "jmcsparin"<BR>[peap] Got tunneled reply RADIUS code
2<BR> Tunnel-Type:0 =
VLAN<BR> Tunnel-Medium-Type:0 =
IEEE-802<BR> Tunnel-Private-Group-Id:0
= "16"<BR> MS-MPPE-Encryption-Policy =
0x00000001<BR>
MS-MPPE-Encryption-Types =
0x00000006<BR> MS-MPPE-Send-Key =
0xa15daac8db91138c9543ff1dd79193d8<BR>
MS-MPPE-Recv-Key =
0x5b23ada7251bf55e939f78211bc91ee9<BR>
EAP-Message = 0x030a0004<BR>
Message-Authenticator =
0x00000000000000000000000000000000<BR>
User-Name = "jmcsparin"<BR>[peap] Tunneled authentication was
successful.<BR>[peap] SUCCESS<BR>++[eap] returns handled<BR>Sending
Access-Challenge of id 199 to 10.1.1.50 port
35858<BR> EAP-Message =
0x010b002b19001703010020c4f38e69d73c88a387eba5b0923e812f7d609d6c9d329f90acd78fc19eb2381f<BR>
Message-Authenticator =
0x00000000000000000000000000000000<BR>
State = 0x11074b60180c524471e7db294b4fecfb<BR>Sending Access-Accept of id 200 to
10.1.1.50 port 35858<BR>
MS-MPPE-Recv-Key =
0x3d7918ad48100976d9f4db012a50f82b6dba74d3777f6bdca2648b0db3eb9650<BR>
MS-MPPE-Send-Key =
0xd4fcd3d81bc0e75431a4baa52fff9b7dce70f1cf1025fe2aac060f30f45b35bb<BR>
EAP-Message = 0x030b0004<BR>
Message-Authenticator =
0x00000000000000000000000000000000<BR>
User-Name = "jmcsparin"<BR>Finished request 49.<BR></DIV></FONT></SPAN>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-us><FONT size=2 face=Calibri>Joseph R. McSparin<BR>Network
Administrator<BR>Hill Country Memorial Hospital<BR>830 990 6638 phone<BR>830 990
6623 fax<BR>jmcsparin@hillcountrymemorial.org</FONT></SPAN> </P>
<DIV><FONT color=#0000ff size=2 face=Arial></FONT> </DIV><FONT size=2
face=Calibri></FONT><FONT size=2 face=Calibri></FONT><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B>
freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freeradius.org
[mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org@lists.freeradius.org]
<B>On Behalf Of </B>Brian Julin<BR><B>Sent:</B> Wednesday, January 04, 2012
10:49 AM<BR><B>To:</B> FreeRadius users mailing list<BR><B>Subject:</B> RE:
Using FreeRadius to override VLAN Assignment<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=449274616-04012012><FONT color=#0000ff
size=2 face=Arial>The first order of business would be to freeradius in debug
mode, or launch an eapol_test client against it, and look to see
whether the attribute is being sent. If you do not know whether the
attribute is being sent, you cannot determine whether it is the AP or the
freeradius server that needs fixing.</FONT></SPAN></DIV><BR>
<DIV dir=ltr lang=en-us class=OutlookMessageHeader align=left>
<HR tabIndex=-1>
<FONT size=2 face=Tahoma><B>From:</B>
freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org
[mailto:freeradius-users-bounces+bjulin=clarku.edu@lists.freeradius.org] <B>On
Behalf Of </B>McSparin, Joe<BR><B>Sent:</B> Wednesday, January 04, 2012 11:00
AM<BR><B>To:</B> FreeRadius users mailing list<BR><B>Subject:</B> Using
FreeRadius to override VLAN Assignment<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/rtf format -->
<P><FONT size=2 face=Arial>I have put the following into my users files</FONT>
</P>
<P><FONT size=2 face=Arial>DEFAULT Auth-Type = "ntlm_auth"</FONT>
<BR><FONT size=2
face=Arial>
Tunnel-Type = "VLAN",</FONT> <BR><FONT size=2
face=Arial>
Tunnel-Medium-Type = "IEEE-802",</FONT> <BR><FONT size=2
face=Arial>
Tunnel-Private-Group-id = "1001"</FONT> </P>
<P><FONT size=2 face=Arial>I have told my access point to Allow RADIUS Override
on the VLAN Assignment however the VLAN is not getting overridden. Does
the Above entry into my users file not actually send back a vlan assignment and
if not is there somewhere else this is supposed to be done?</FONT></P>
<P><FONT size=2 face=Calibri>Joseph R. McSparin<BR>Network Administrator<BR>Hill
Country Memorial Hospital<BR>830 990 6638 phone<BR>830 990 6623
fax<BR>jmcsparin@hillcountrymemorial.org</FONT> </P><BR>
<HR>
<P class=MsoNormal><FONT size=2 face=Arial><SPAN
style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,arial,helvetica,sans-serif">This email message and
any attachments are for the sole use of the intended recipient(s) and contain
confidential and/or privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the original
message and any attachments.</SPAN></FONT><O:P /></SPAN></FONT></P><BR>
<HR>
<P class=MsoNormal><FONT size=2 face=Arial><SPAN
style="FONT-FAMILY: Arial; FONT-SIZE: 10pt"><FONT size=1><SPAN
style="FONT-FAMILY: tahoma,arial,helvetica,sans-serif">This email message and
any attachments are for the sole use of the intended recipient(s) and contain
confidential and/or privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the original
message and any attachments.</SPAN></FONT><O:P
/></SPAN></FONT></P></BODY></HTML>