Sorry about this long first mail, but I figured I'd try to include as much information as possible. right away.. I'm trying to set up a rather complicated RADIUS structure that I hope will be able to support a number of different needs. Anyway, some bit of background information. Things I need to support: EDUROAM for my roaming users at other sites around Europe. EDUROAM for roaming users at my site via WLAN access points (SSID "EDUROAM"). Normal 802.1x for our local users via WLAN (another SSID) Normal 802.1x-enabled ethernet ports on switches. Modem pool access (Ascend MAX4000 - olde faithful still going strong :-) for out users and two neighboring departments (separate user databases) VPN gateway access (Nortel Contivity and OpenVPN) for out users and one other neighboring department. + More stuff (web services)... "Access" Hardware/Software: D-Link DWL-3200AP and DWL-8200AP WLAN access points HP ProCurve ethernet switches Ascend MAX4000 modem pool Nortel Contivity IPSEC VPN gateway OpenVPN server Anyway, I have set up our access points to successfully do EAP-TTLS authentication via RADIUS to a FreeRadius 1.1.7 server since this spring. (The VPN and modem pool is handled by another very old RADIUS server for the moment but I'm planning on moving those to the new FreeRadius structure when things are working smoothly). But now in our quest for implementing EDUROAM I starting looking at using FreeRadius 2.1 and do some intelligent proxying based on various criterias which gets complicated pretty quickly... :-) 1) Users connecting to the WLAN SSID "EDUROAM" should be handled as EDUROAM authentication requests and routed thru those RADIUS servers, and if successful should end up on our "EDUROAM" VLAN. 2) Users connecting to our "PERSONAL" WLAN SSID should be handled as local users only and if successfully authenticated should end up on our "TWILIGHT ZONE" VLAN. It seems I should be able to distinguish at the RADIUS server side between #1 and #2 via the "Called-Station-Id" attribute since the D-Link AP's we are using sets that to something like: Called-Station-Id = "00-17-9A-D3-9A-BA:EDUROAM" (where the last part is the WLAN SSID). 3) Users connecting to the 802.1x enabled physical ethernet ports should if authenticating as USER@ifm.liu.se be handled like #2 above, else be handled like #1 above, and if completely unsuccessful should be conencted to a third special VLAN. (This should be doable via the a RADIUS attribute telling the switch which VLAN to switch a successfully authenticated user's port to). 4) Modem pool users should accept request from three different realms USER@ifm.liu.se USER@dept2.liu.se USER@dept3.liu.se Route those to the correct RADIUS server responsible for authenticating those users, and in the response set the Ascend-special attributes to 'give' the user the right IP# from the departments special IP pools 5) VPN pool users should do something similar to #4 but using the Nortel-specific attributes. (We do #4 and #5 already today with the stoneage RADIUS server, sans the RADIUS-proxying stuff I want to do). Anyway - what I'm curious about is if there are others 'out there' that have done similar stuff before? Any cookbooks for setting up a FreeRadius 2 server in an EDUROAM environment? Anyone with experience talking to D-Link DWL-3200AP or 8200AP with EAP-TTLs and FreeRadius 2? I ran into a problem directly - for some unknown reason when I redirect my APs to talk to a proxying-only FreeRadius 2.1.0 server that forwards requests to our old FreeRadius 1.1.7 server the access points doesn't seem to correctly understand or mishandles (sort of - it looks like things are going OK, but the Window and MacOS X clients just goes into a loop with reretrying the authentication sequence and never finishing) the 'Access-Accept' sent to them after having successfully authenticated the user... And I'm at a loss as to why. I tried running the radiusd servers with -X to see what the difference in the responses are and I can't really see any big differences: FreeRadius 1.1.7 directly to the Access Point: First request: rad_recv: Access-Request packet from host 192.168.160.158:1115, id=0, length=181 Message-Authenticator = 0x377dba909d00b36f5edacd2d732b8cc6 Service-Type = Framed-User User-Name = "testson" Framed-MTU = 1488 Called-Station-Id = "00-17-9A-D3-9A-BA:EDUROAM" Calling-Station-Id = "00-30-65-18-72-61" NAS-Identifier = "ap13434" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0174657374736f6e NAS-IP-Address = 192.168.160.158 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Last response: Sending Access-Accept of id 6 to 192.168.160.158 port 1096 MS-MPPE-Recv-Key = 0xd95114ac0ba4ea2f18815d9d713bcc09730dce74705a24e87c1b3ff1e59bb391 MS-MPPE-Send-Key = 0x59bdb8c81b2d31916a50dbd43079f019616468618cd956c2bb8db99b29436b22 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testson" Finished request 6 FreeRadius 2.1.0 directly to the Access Point (with a response received via Proxying to the same 1.1.7 server): First request: rad_recv: Access-Request packet from host 192.168.160.158 port 1036, id=0, length=181 Message-Authenticator = 0x54e5c5b797c55e4cf49655edfa140e05 Service-Type = Framed-User User-Name = "testson\000" Framed-MTU = 1488 Called-Station-Id = "00-17-9A-D3-9A-BA:EDUROAM" Calling-Station-Id = "00-30-65-18-72-61" NAS-Identifier = "ap13434" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0200000c0174657374736f6e NAS-IP-Address = 192.168.160.158 NAS-Port = 2 NAS-Port-Id = "STA port # 2" Last response: Sending Access-Accept of id 6 to 192.168.160.158 port 1036 Vendor-Specific = 0x0000013711348565439b6986f71bfa7425319eac8dd791f24936bc66a8cdd928a91c9c4343958ef040212 4dd4f552726302e356b878e6474 Vendor-Specific = 0x0000013710348b855687f3a4ef1194289232229fe0be952c98689fb606c1e9d6ceae6a388baee98eeb292 be2d41ae58efa7f67737dec758c EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testson" Finished request 6. (I assume that 'Vendor-Specific' stuff is the MS-MPPE-Recv-Key stuff that the 1.1.7 talks about). Any suggestions? - Peter