joaocdc@gmail.com <joaocdc@gmail.com> wrote:
This model is funcionaƧ, however have a problem (very serious), Radius does not know from which SSID the client is trying to authenticate, or whether it decides the basis solely of the Realm authentication of the client. I need to make the Radius check the VLAN that is associated with the request for user authentication. Check through the debug radius that an Access-Request packet has the following information:
... rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204, length=184 User-Name = "joao@fpti" Calling-Station-Id = "68-a3-c4-85-c5-89" Called-Station-Id = "00-26-cb-94-65-60:FPTI" NAS-Port = 29 NAS-IP-Address = 192.168.254.48 NAS-Identifier = "WLC-PTI" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 * Tunnel-Private-Group-Id:0 = "5"*
string != integer Tunnel-Private-Group-Id is a string. I have to do a similar thing to map a silly attribute coughed up by Cisco's useless WLC: ---- policy.conf ---- rewrite.quirk.wlc { if (NAS-IP-Address == 172.16.3.124 && NAS-Identifier == "wlc-01") { switch "%{Airespace-Wlan-Id}" { case "1" { update request { NAS-Port-Id := "eduroam" } } case "5" { update request { NAS-Port-Id := "UTILICOM" } } case "6" { update request { NAS-Port-Id := "BTOpenzone" } } case "7" { update request { NAS-Port-Id := "soas-wpa-psk" } } case { update request { NAS-Port-Id := "UNKNOWN" } } } ... } ---- You should use (I am almost certain you should not be looking at tagged attributes, so drop the ':0' too): ---- notice the "...." ---- if (Tunnel-Private-Group-Id == "5") { [stuff] } ---- Cheers -- Alexander Clouter .sigmonster says: Do not apply to broken skin.