hi, ok, now the authentication request works (the problem was that if I restart the AP I lost this configuration. How can I save it using the web configuration?) Now the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module "files" returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/<no User-Password attribute>] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "TEST4" Finished request 18 and I have this users: TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN Now in the log there is Cisco-AVPair = "ssid=VLAN3" but user TEST4 is authenticated on the incorrect SSID (VLAN3). I suppose that the Cisco-AVPair check doesn't work in my configuration.... Are there other mistakes? Thanks for your answers... Bye Antonio
You misread my previous email .... you need: radius-server vsa send authentication ^^^^^^^^^^
this makes the cisco include the ssid in the AUTHENTICATION request which is what you need. Presently you only have: radius-server vsa send accounting
so the SSID is only being sent in accounting packets.
(having both is fine)
Regards, James
-- James J J Hooper, Information Services University of Bristol --