<div class="gmail_extra">We are modifying the Wireless acccess to our LAN.</div><div class="gmail_extra">We
are trying to use a Cisco WLC and our freeradius. We've been using this
same freeradius for authenticating users against the corporate LDAP.
Now we want WLC to talk to the radius server without losing any
functionality like user authentication or vlan assignment.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Our main
problem is that the vlan assingment is not working when we use the WLC.
The scenario with the APs talking to the radius directly works fine, but
when we use lightweight AP and the WLC we can see that the vlan
assignment part is skipped by the authentication process and all the
users are sent to the same vlan.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">The
following is the output of the two cases. One of them is a user
authenticating without WLC, the AP talks directly to the Radius Server,
and the other is an authentication where WLC talks to the Radius Server (the one that is not working)<br></div>
<div class="gmail_extra"><br></div><div class="gmail_extra">- 10.32.2.81 is the WLC IP address.</div><div class="gmail_extra"><br></div><div class="gmail_extra">- 10.32.2.39 is the AP IP address.</div><div class="gmail_extra">
<br></div><div class="gmail_extra">WLC Soft Version: <span style="font-size:11px;font-family:Verdana,Helvetica,sans-serif">7.0.116.0</span></div><div class="gmail_extra"><font face="Verdana, Helvetica, sans-serif"><span style="font-size:11px"><br>
</span></font></div><div class="gmail_extra">These are the outputs:</div><div class="gmail_extra"><br></div><div class="gmail_extra">1) AP - RADIUS (No WLC)<br><br>*****************************************************<br>
rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205, length=184<br> User-Name = "fcanales"<br> Framed-MTU = 1400<br> Called-Station-Id = "001d.4551.7da0"<br> Calling-Station-Id = "5894.6b0d.e86c"<br>
Service-Type = Login-User<br> Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4<br> EAP-Message = 0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712<br>
NAS-Port-Type = Wireless-802.11<br> NAS-Port = 59460<br> State = 0xf4160a33f11e13898255a02243c509d6<br> NAS-IP-Address = 10.32.2.39<br> NAS-Identifier = "ap-Reco32"<br>+- entering group authorize {...}<br>
++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] No '@' in User-Name = "fcanales", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>
[eap] EAP packet type response id 8 length 43<br>[eap] Continuing tunnel setup.<br>++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>
[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>[peap] Done initial handshake<br>[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>
[peap] Identity - fcanales<br>[peap] Got tunneled request<br> EAP-Message = 0x0208000d016663616e616c6573<br>server {<br> PEAP: Got tunneled identity of fcanales<br> PEAP: Setting default EAP type for tunneled EAP session.<br>
PEAP: Setting User-Name to fcanales<br>Sending tunneled request<br> EAP-Message = 0x0208000d016663616e616c6573<br> FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "fcanales"<br> Framed-MTU = 1400<br>
Called-Station-Id = "001d.4551.7da0"<br> Calling-Station-Id = "5894.6b0d.e86c"<br> Service-Type = Login-User<br> NAS-Port-Type = Wireless-802.11<br> NAS-Port = 59460<br>
NAS-IP-Address = 10.32.2.39<br> NAS-Identifier = "ap-Reco32"<br>server inner-tunnel {<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++? if (!Huntgroup-Name)<br>? Evaluating !(Huntgroup-Name) -> FALSE<br>
++? if (!Huntgroup-Name) -> FALSE<br>++? if (Huntgroup-Name == "list")<br>? Evaluating (Huntgroup-Name == "list") -> TRUE<br>++? if (Huntgroup-Name == "list") -> TRUE<br>++- entering if (Huntgroup-Name == "list") {...}<br>
+++? if (Ldap-Group == "WIFI-Direccion")<br>rlm_ldap: Entering ldap_groupcmp()<br> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar<br> expand: (uid=%u) -> (uid=fcanales)<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>
rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales)<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br>
expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales))<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales)))<br>rlm_ldap: object not found<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>
rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a member.<br>+++? if (Ldap-Group == "WIFI-MKTyCC")<br>rlm_ldap: Entering ldap_groupcmp()<br> expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar<br>
<br>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br> expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales))<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales)))<br>
rlm_ldap: object not found<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a member.<br>+++? if (Ldap-Group == "WIFI-TyO")<br>rlm_ldap: Entering ldap_groupcmp()<br>
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar<br>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br> expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales))<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales)))<br>
rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE<br>+++? if (Ldap-Group == "WIFI-TyO") -> TRUE<br>
+++- entering if (Ldap-Group == "WIFI-TyO") {...}<br>++++[reply] returns ok<br>+++- if (Ldap-Group == "WIFI-TyO") returns ok<br>+++? if (Ldap-Group == "WIFI-ITfuncional")<br>rlm_ldap: Entering ldap_groupcmp()<br>
expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar<br>WARNING: Deprecated conditional expansion ":-". See "man unlang" for details<br> expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales))<br>
rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales)))<br>
rlm_ldap: object not found<br>rlm_ldap: ldap_release_conn: Release Id: 0<br>rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a member.<br>++- if (Huntgroup-Name == "list") returns ok<br>++[chap] returns noop<br>
++[mschap] returns noop<br>++[unix] returns updated<br>[suffix] No '@' in User-Name = "fcanales", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>
[eap] EAP packet type response id 8 length 13<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>[ldap] performing user authorization for fcanales<br>
[ldap] expand: (uid=%u) -> (uid=fcanales)<br>[ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales)<br>
[ldap] looking for check items in directory...<br>rlm_ldap: sambaNtPassword -> NT-Password == 0x3441313536383141373845384430414446424135364139373343343736374646<br>rlm_ldap: sambaLmPassword -> LM-Password == 0x4446323634314431373041414432333739433530313441453437313841374545<br>
[ldap] looking for reply items in directory...<br>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>[ldap] user fcanales authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Normalizing NT-Password from hex encoding<br>[pap] Normalizing LM-Password from hex encoding<br>
[pap] Found existing Auth-Type, not changing it.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type mschapv2<br>rlm_eap_mschapv2: Issuing Challenge<br>
++[eap] returns handled<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 11<br> Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "212"<br>
EAP-Message = 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x158baf111582b5a1fb3a126781117cd4<br>[peap] Got tunneled reply RADIUS code 11<br>
Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "212"<br> EAP-Message = 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x158baf111582b5a1fb3a126781117cd4<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 205 to 10.32.2.39 port 1645<br>
EAP-Message = 0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xf4160a33f21f13898255a02243c509d6<br>Finished request 38.<br><br>*****************************************************<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">
<br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">2) WLC - RADIUS<br><br>*****************************************************<br><br>rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=119, length=280<br>
User-Name = "fcanales"<br> Calling-Station-Id = "58-94-6b-0d-e8-6c"<br> Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"<br> NAS-Port = 1<br> Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"<br>
NAS-IP-Address = 10.32.2.81<br> NAS-Identifier = "Iplan_wcs"<br> Airespace-Wlan-Id = 1<br> Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br>
Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "60"<br> EAP-Message = 0x0208002b190017030100200c857843d879e361aad79c8a2dccee6de8b04225d90b753a81b636a8090f0193<br>
State = 0xcb0bb3aace03aab2864a9aacb255d323<br> Message-Authenticator = 0x62ca91e9e88fbba794e6e51db7aa67ec<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 8 length 43<br>[eap] Continuing tunnel setup.<br>
++[eap] returns ok<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP/peap<br>[eap] processing type peap<br>[peap] processing EAP-TLS<br>[peap] eaptls_verify returned 7 <br>
[peap] Done initial handshake<br>[peap] eaptls_process returned 7 <br>[peap] EAPTLS_OK<br>[peap] Session established. Decoding tunneled attributes.<br>[peap] Identity - fcanales<br>[peap] Got tunneled request<br> EAP-Message = 0x0208000d016663616e616c6573<br>
server {<br> PEAP: Got tunneled identity of fcanales<br> PEAP: Setting default EAP type for tunneled EAP session.<br> PEAP: Setting User-Name to fcanales<br>Sending tunneled request<br> EAP-Message = 0x0208000d016663616e616c6573<br>
FreeRADIUS-Proxied-To = 127.0.0.1<br> User-Name = "fcanales"<br> Calling-Station-Id = "58-94-6b-0d-e8-6c"<br> Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"<br>
NAS-Port = 1<br> Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"<br> NAS-IP-Address = 10.32.2.81<br> NAS-Identifier = "Iplan_wcs"<br> Airespace-Wlan-Id = 1<br>
Service-Type = Framed-User<br> Framed-MTU = 1300<br> NAS-Port-Type = Wireless-802.11<br> Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "60"<br>
server inner-tunnel {<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++? if (!Huntgroup-Name)<br>? Evaluating !(Huntgroup-Name) -> TRUE<br>++? if (!Huntgroup-Name) -> TRUE<br>++- entering if (!Huntgroup-Name) {...}<br>
+++[reply] returns ok<br>++- if (!Huntgroup-Name) returns ok<br>++? if (Huntgroup-Name == "list")<br> (Attribute Huntgroup-Name was not found)<br>++[chap] returns noop<br>++[mschap] returns noop<br>++[unix] returns updated<br>
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL<br>[suffix] No such realm "NULL"<br>++[suffix] returns noop<br>++[control] returns noop<br>[eap] EAP packet type response id 8 length 13<br>
[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[files] returns noop<br>[ldap] performing user authorization for fcanales<br>[ldap] expand: (uid=%u) -> (uid=fcanales)<br>
[ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar<br>rlm_ldap: ldap_get_conn: Checking Id: 0<br>rlm_ldap: ldap_get_conn: Got Id: 0<br>rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales)<br>
[ldap] looking for check items in directory...<br>rlm_ldap: sambaNtPassword -> NT-Password == 0x3441313536383141373845384430414446424135364139373343343736374646<br>rlm_ldap: sambaLmPassword -> LM-Password == 0x4446323634314431373041414432333739433530313441453437313841374545<br>
[ldap] looking for reply items in directory...<br>WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?<br>[ldap] user fcanales authorized to use remote access<br>
rlm_ldap: ldap_release_conn: Release Id: 0<br>++[ldap] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] Normalizing NT-Password from hex encoding<br>[pap] Normalizing LM-Password from hex encoding<br>
[pap] Found existing Auth-Type, not changing it.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type mschapv2<br>rlm_eap_mschapv2: Issuing Challenge<br>
++[eap] returns handled<br>} # server inner-tunnel<br>[peap] Got tunneled reply code 11<br> Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "249"<br>
EAP-Message = 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xab42e29bab4bf81ef23bc50dea94c334<br>[peap] Got tunneled reply RADIUS code 11<br>
Tunnel-Type:0 = VLAN<br> Tunnel-Medium-Type:0 = IEEE-802<br> Tunnel-Private-Group-Id:0 = "249"<br> EAP-Message = 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573<br>
Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0xab42e29bab4bf81ef23bc50dea94c334<br>[peap] Got tunneled Access-Challenge<br>++[eap] returns handled<br>Sending Access-Challenge of id 119 to 10.32.2.81 port 32768<br>
EAP-Message = 0x0109004b1900170301004075cf3c75c7a8311c01bc5581aac330e49586ce6e0001e8add345d7773aeeacba61b235c462fe0966e565d9e6279f111bf94fa3d8a4bff8a4ce82ab24d65f9c31<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xcb0bb3aacd02aab2864a9aacb255d323<br>Finished request 48.<br>Going to the next request<br>Waking up in 4.9 seconds.<br><br>*****************************************************<br></div>
<div class="gmail_extra"><br>Thanks for all.<br></div><br clear="all"><br>-- <br>--<br><br>Silvero Martin<br>