Hi Forum, i have setup a freeradius server with MySQL for Dynamic VLAN assignment. Everything works fine with TP-Link AP running openWRT. Now I have changed to Unifi AP (Unifi Security Gateway Pro, Unifi Switch US-24 POE Unifi AP Pro) and the dynamic VLAN assignment will not work anymore. When I try to connect to the WPA2 Enterprise WLAN, credentials are accepted but I always been put to default VLAN. I googled around and found the Link, but I had no success anyway. http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402.... <http://freeradius.1045715.n5.nabble.com/Freeradius-and-Unifi-Vlan-td5743402.html> Anyone has any ideas to help me please? Which further information do you need? I have a full freeradius -X Thanks Foxy freeradius debug: rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=0, length=162 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0267000a01766c616e32 Message-Authenticator = 0x06d999db3a89921c59829a06fc6a668c # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 103 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> vlan2 [sql] sql_set_user escaped user --> 'vlan2' rlm_sql (sql): Reserving sql socket id: 31 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id [sql] User found in group vlan2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id rlm_sql (sql): Released sql socket id: 31 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 0 to 10.4.0.3 port 58475 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x016800160410d4aaf5baf1249b0b9757e28baaeaaa5f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=1, length=178 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026800080319152b State = 0x5bbe2fd05bd62b4f6758a6e7768e6c4f Message-Authenticator = 0x832e2a49ed7f71a89ddd64c031384e96 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 104 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> vlan2 [sql] sql_set_user escaped user --> 'vlan2' rlm_sql (sql): Reserving sql socket id: 30 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id [sql] User found in group vlan2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id rlm_sql (sql): Released sql socket id: 30 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 1 to 10.4.0.3 port 58475 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x016900061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=2, length=297 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0269007f19800000007516030100700100006c0301589ed44589c48a46cf539f29ccb55919d495885606f29ed44e2a6c29bd86d9eb00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000 State = 0x5bbe2fd05ad7364f6758a6e7768e6c4f Message-Authenticator = 0x36c578d87de859f5bb186da5d12f866d # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 105 length 127 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 117 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0070], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 02ca], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 2 to 10.4.0.3 port 58475 EAP-Message = 0x016a040019c0000004661603010039020000350301ca88fca516ec799abd1ac079f7dcde1a67301926aae2707dc648d90fad15555400c01400000dff01000100000b00040300010216030102ca0b0002c60002c30002c0308202bc308201a4a003020102020900a5fffa2bd980f52f300d06092a864886f70d01010b050030163114301206035504030c0b7261737062657272797069301e170d3136303531363039353930305a170d3236303531343039353930305a30163114301206035504030c0b726173706265727279706930820122300d06092a864886f70d01010105000382010f003082010a0282010100c3d09a5c1cf391c424a9db1c9546 EAP-Message = 0xe2d0d56ef0c7992e58cc9fddfcca2e1e792de870f1b44732e39760c9be69d00bee75ebb6544ef6e7552cd6071cf42a0314dfcf5f6588403e82906d1bdc76e22d83d897f5822cc3ad4e8688b26a7e51272de8f12178c18eeef3736db12c082c610cf4ed064ca669a8502cd0b304f9b347e9b6e792d22b7477447b724fc1a5b8feaa5bc2dab89c47f61083f2ad2a713346a45779f64738f78e6c6b50dd9fba57b8c429d9130ffe2852ae300f0da67338d241c7f9ed1a3edfd9e60e4a204888db9e7c2b2c4b2720cac0bb75955fdc8dededdcd3005b33e3c3665cb56f8fea647fe98b100ac37981f6664b06baf77672578b49510203010001a30d300b3009 EAP-Message = 0x0603551d1304023000300d06092a864886f70d01010b0500038201010059f5ccb527a5c95bd585d481cf2c0d940a2100bfe19c781f8fc6c9fe6ecf9581cc11899915a4a4a76f93ce5d9a27a1377e9f5b595d0c91b85158b46264b6bbf53d663f5972a29bb9ee27f94fa19c0e10cb315bbfff1a0b9dada6af7b44055bde3a97fce3d03d0e3d9dd2ca98d02899654c38e978067be45716b8095b7eec985ed5766a840d768fde1384f8d70c2b2b62f3bf1ce577e8c7e55870217ef8101973e33c417108d7645823438b1b637bf66d11755e23ccceabf7256480a3ce55f410d5479aa862e7cd048a3661213131c38bdcfae6a8223dbc92e680e4e8feee2c86 EAP-Message = 0xf60edf462d78a0cd61d0be2a807c82feddfb62a74cd23265bc34cf55c8de1296160301014b0c00014703001741049b8ce76c18bbad24703b1770055b370369335679cf94ea52ffcf0fb82725e6e4180acdba12d45dc91ce19392b2aeeb8af3081f8475a36236ad67689782d72840010035cfee51ff337f1eb937b5a66c75b726e96a2c585d4987a1cbda13df17060e3ae4791a5b09b611fab6be846494ba450248e1da4d1e693940510d3dd879dbe65927e90cd4d325b64514f1af880c2b8b6bd2b702f3315084069dadfde74e622f29654c3ba1862ec885bbf541858571ab5e12c1b9baf903ade005a27da49e31b4f80697c4901e100f61f6c093f751 EAP-Message = 0xc33825db86cc5193821c21c0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd059d4364f6758a6e7768e6c4f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=3, length=176 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026a00061900 State = 0x5bbe2fd059d4364f6758a6e7768e6c4f Message-Authenticator = 0x99a1d9d626da9befea61798a088dcaa5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 106 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 3 to 10.4.0.3 port 58475 EAP-Message = 0x016b0076190084b8ddc47f9ae932aad390c476d83be799f4a0573ba9ffc44bb7ab4acd2aee1bf8c481909e6fb235ad5904953e0da13f76cab712d08f270272699821617e7c9bbbf02fe16724e3e118fb1544a1425a42b33d7627f1ac1a3ab6b40de72becd841b631813edf992c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd058d5364f6758a6e7768e6c4f Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=4, length=314 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026b0090198000000086160301004610000042410492699d0b4133e01f3077df1dd32450bb838549add65693b94f1403cc929899231cbad80effab16998dbc60b8de0238ddbe8fefdbbe3e770c3f662d37b37371771403010001011603010030164a6ac78696439e80a7b6e06d205e5a2a6b9a90d8531892b0a24de189284588156554a2a15cbbcb8cc0e9e8f87810c8 State = 0x5bbe2fd058d5364f6758a6e7768e6c4f Message-Authenticator = 0xbd183035d6eb70e1cf4df33759a104a0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 107 length 144 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 134 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 4 to 10.4.0.3 port 58475 EAP-Message = 0x016c0041190014030100010116030100302db38c5a4a30e8a20e40e33ea5c90ffc4390aa26733fa055d9e44df2df3fe2efec91ee64752fbaa81952491f4de66b73 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f Finished request 4. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=5, length=176 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026c00061900 State = 0x5bbe2fd05fd2364f6758a6e7768e6c4f Message-Authenticator = 0xfe48702c915ce42bd6857c1c98c2ad33 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 108 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 5 to 10.4.0.3 port 58475 EAP-Message = 0x016d002b19001703010020720525055a03208c8942699fac52371c34564e69c8ad2dca9670eb2ad7d7990b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f Finished request 5. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=6, length=213 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026d002b1900170301002047bc3b02b2b161c69c407fcc9499570fc44846071487cddd3238a74a6f1b5486 State = 0x5bbe2fd05ed3364f6758a6e7768e6c4f Message-Authenticator = 0x3043fa8c67010675ab157c9b041ec8e0 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 109 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - vlan2 [peap] Got inner identity 'vlan2' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x026d000a01766c616e32 server { [peap] Setting User-Name to vlan2 Sending tunneled request EAP-Message = 0x026d000a01766c616e32 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" NAS-IP-Address = 10.4.0.3 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 109 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> vlan2 [sql] sql_set_user escaped user --> 'vlan2' rlm_sql (sql): Reserving sql socket id: 29 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id [sql] User found in group vlan2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id rlm_sql (sql): Released sql socket id: 29 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbf69de36bf07c49c7fdd6a5522e854fb [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x016e001f1a016e001a10e77e02f329ceda823151bee45600a691766c616e32 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbf69de36bf07c49c7fdd6a5522e854fb [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 6 to 10.4.0.3 port 58475 EAP-Message = 0x016e003b19001703010030273a2344da33da6bd4f07a68939b2d6fe8f074d5c8fc5d3bd995b603066ecf0ebadaa7b9c6bb0857de06eb1732da1372 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f Finished request 6. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=7, length=277 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026e006b190017030100609d599b8771f229409a0c80966b2d47df23ee2d458e0aa22554971c8dcbff5c8d6fd24841ac1f33f77b523ad33f435410bd3b5061388f389cf35852f2bbe989d6e79c80c01fa06efa1ac48960c28057604e2d52eaf27fcb9592b15bd81b9d9352 State = 0x5bbe2fd05dd0364f6758a6e7768e6c4f Message-Authenticator = 0x49a65641575dbc71665aa3a24ed858d4 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 110 length 107 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32 server { [peap] Setting User-Name to vlan2 Sending tunneled request EAP-Message = 0x026e00401a026e003b315e0f62a689f025e1df998ee87babf9de00000000000000007564685ceec9262c6ebfe53b4108d24ae06e720a0fe08a6c00766c616e32 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "vlan2" State = 0xbf69de36bf07c49c7fdd6a5522e854fb NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" NAS-IP-Address = 10.4.0.3 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 110 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> vlan2 [sql] sql_set_user escaped user --> 'vlan2' rlm_sql (sql): Reserving sql socket id: 28 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id [sql] User found in group vlan2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id rlm_sql (sql): Released sql socket id: 28 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] Creating challenge hash with username: vlan2 [mschap] Client is using MS-CHAPv2 for vlan2, we need NT-Password ++[mschap] = ok +} # group MS-CHAP = ok MSCHAP Success ++[eap] = handled +} # group authenticate = handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbf69de36be06c49c7fdd6a5522e854fb [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x016f00331a036e002e533d41463237344142313833423934363930354534383236463136343338333230333744323432413432 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbf69de36be06c49c7fdd6a5522e854fb [peap] Got tunneled Access-Challenge ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 7 to 10.4.0.3 port 58475 EAP-Message = 0x016f005b19001703010050379671a1652397822077c4939f603c0697b5ad4acda69af23684b69747b835bc2eee51061ba9de8736ee1a212c16986b4976389fe0080d8f0d71a892795b124f8bcb4cf473180414321ba05012d9c804 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f Finished request 7. Going to the next request Waking up in 2.1 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=8, length=213 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026f002b190017030100204e389e032c31ad1db1e6708b6e4b9d959b44e97a2133228df869f8852f589e6b State = 0x5bbe2fd05cd1364f6758a6e7768e6c4f Message-Authenticator = 0x931630aa75d0a3402894d50d928802c2 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 111 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x026f00061a03 server { [peap] Setting User-Name to vlan2 Sending tunneled request EAP-Message = 0x026f00061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "vlan2" State = 0xbf69de36be06c49c7fdd6a5522e854fb NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" NAS-IP-Address = 10.4.0.3 server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 111 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop [sql] expand: %{User-Name} -> vlan2 [sql] sql_set_user escaped user --> 'vlan2' rlm_sql (sql): Reserving sql socket id: 27 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'vlan2' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'vlan2' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'vlan2' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'vlan2' ORDER BY id [sql] User found in group vlan2 [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'vlan2' ORDER BY id rlm_sql (sql): Released sql socket id: 27 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x036f0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "vlan2" [peap] Got tunneled reply RADIUS code 2 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" EAP-Message = 0x036f0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "vlan2" [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 8 to 10.4.0.3 port 58475 EAP-Message = 0x0170002b1900170301002016ca7fa553aa22f428b1cc092d8c0edce568f4304d792dc1e4f3ee96aee7dbf4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5bbe2fd053ce364f6758a6e7768e6c4f Finished request 8. Going to the next request Waking up in 2.0 seconds. rad_recv: Access-Request packet from host 10.4.0.3 port 58475, id=9, length=213 User-Name = "vlan2" NAS-Identifier = "802aa8c9b930" NAS-Port = 0 Called-Station-Id = "80-2A-A8-CA-B9-30:test-radius" Calling-Station-Id = "44-00-10-57-E4-82" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0270002b19001703010020f1fad92ca1690eeab1fd596f4e05814f52fe6ca28544b4fa55eee6ea9709ba21 State = 0x5bbe2fd053ce364f6758a6e7768e6c4f Message-Authenticator = 0xdb9f0883a110094183004dd28a6f5261 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "vlan2", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 112 length 43 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [peap] Using saved attributes from the original Access-Accept Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" User-Name = "vlan2" [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +group post-auth { [sql] expand: %{User-Name} -> vlan2 [sql] sql_set_user escaped user --> 'vlan2' [sql] expand: %{User-Password} -> [sql] ... expanding second conditional [sql] expand: %{Chap-Password} -> [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vlan2', '', 'Access-Accept', '2017-02-11 09:54:40') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'vlan2', '', 'Access-Accept', '2017-02-11 09:54:40') rlm_sql (sql): Reserving sql socket id: 26 rlm_sql (sql): Released sql socket id: 26 ++[sql] = ok ++[exec] = noop +} # group post-auth = ok Sending Access-Accept of id 9 to 10.4.0.3 port 58475 Tunnel-Type:0 := VLAN Tunnel-Medium-Type:0 := IEEE-802 Tunnel-Private-Group-Id:0 := "2" User-Name = "vlan2" MS-MPPE-Recv-Key = 0xc42271ac1c9ce5bd6fd9be65a9eaf0b2c9512de5a0561888d8c4443a42a3ea0e MS-MPPE-Send-Key = 0xe57e91b287bd2e2d536e08176c9a61fdaa9ae60687e59db5310af032b8c3e430 EAP-Message = 0x03700004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 9. Going to the next request Waking up in 2.0 seconds. Cleaning up request 0 ID 0 with timestamp +47 Cleaning up request 1 ID 1 with timestamp +47 Cleaning up request 2 ID 2 with timestamp +47 Cleaning up request 3 ID 3 with timestamp +47 Waking up in 2.6 seconds. Cleaning up request 4 ID 4 with timestamp +49 Cleaning up request 5 ID 5 with timestamp +49 Cleaning up request 6 ID 6 with timestamp +49 Cleaning up request 7 ID 7 with timestamp +49 Cleaning up request 8 ID 8 with timestamp +50 Cleaning up request 9 ID 9 with timestamp +50 Ready to process requests.
On 11/02/2017 17:01, Jan-Christoph Fuchs wrote:
Now I have changed to Unifi AP (Unifi Security Gateway Pro, Unifi Switch US-24 POE Unifi AP Pro) and the dynamic VLAN assignment will not work anymore. When I try to connect to the WPA2 Enterprise WLAN, credentials are accepted but I always been put to default VLAN.
Which exact model of AP? Also, are you running with 3.7.x firmware and configured with the 5.x controller? I had this working with the 1st gen Unifi Pro (the round one). But when I tried with the Unifi Pro AC (square one), it ignored the attributes. I reported the problem but didn't get any response: https://community.ubnt.com/t5/UniFi-Wireless/UAP-AC-and-dynamic-VLAN-assignm... I suspect it's a chipset difference. Try ssh'ing into your AP, and doing grep driver /etc/aaa*.cfg I think I saw "broadcom" for the Pro AC, but "atheros" for the Pro. I also now have a Unifi AC Lite (also "atheros") and that works fine: 17:32:05.943220 f8:e0:79:39:9e:6c > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 360: vlan 255, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f8:e0:79:39:9e:6c, length 314
On 11/02/2017 17:34, Brian Candler wrote:
I also now have a Unifi AC Lite (also "atheros") and that works fine:
17:32:05.943220 f8:e0:79:39:9e:6c > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 360: vlan 255, p 0, ethertype IPv4, 0.0.0.0.68
255.255.255.255.67: BOOTP/DHCP, Request from f8:e0:79:39:9e:6c, length 314
(accidentally sent early). Tested using: bob Cleartext-Password := "hello" Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-Id := "255"
Hi Brian, thanks for your fast reply, My AP: Unifi AP AC Pro (it is round) Version 3.4.14.3413 (I am confused, I made upgrade via Controller yesterday so firmwareversion should be 3.7.xxx) My Controller: 5.3.11 My AP seems to have the same chipset like your Unifi AP AC Lite. https://wiki.openwrt.org/toh/ubiquiti/unifiac <https://wiki.openwrt.org/toh/ubiquiti/unifiac> I am not at my site actually. I will grep driver /etc/aaa*.cfg on Tuesday. Thanks Jan
Am 11.02.2017 um 18:34 schrieb Brian Candler <b.candler@pobox.com>:
On 11/02/2017 17:01, Jan-Christoph Fuchs wrote:
Now I have changed to Unifi AP (Unifi Security Gateway Pro, Unifi Switch US-24 POE Unifi AP Pro) and the dynamic VLAN assignment will not work anymore. When I try to connect to the WPA2 Enterprise WLAN, credentials are accepted but I always been put to default VLAN.
Which exact model of AP? Also, are you running with 3.7.x firmware and configured with the 5.x controller?
I had this working with the 1st gen Unifi Pro (the round one). But when I tried with the Unifi Pro AC (square one), it ignored the attributes. I reported the problem but didn't get any response:
https://community.ubnt.com/t5/UniFi-Wireless/UAP-AC-and-dynamic-VLAN-assignm...
I suspect it's a chipset difference. Try ssh'ing into your AP, and doing
grep driver /etc/aaa*.cfg
I think I saw "broadcom" for the Pro AC, but "atheros" for the Pro.
I also now have a Unifi AC Lite (also "atheros") and that works fine:
17:32:05.943220 f8:e0:79:39:9e:6c > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 360: vlan 255, p 0, ethertype IPv4, 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f8:e0:79:39:9e:6c, length 314
On 12/02/2017 08:05, Jan-Christoph Fuchs wrote:
My AP: Unifi AP AC Pro (it is round) Version 3.4.14.3413 (I am confused, I made upgrade via Controller yesterday so firmwareversion should be 3.7.xxx)
My Controller: 5.3.11
Indeed. The 3.4 firmware is pretty ancient, and I think may be from the 4.x controller which was before when the RADIUS-assigned VLAN feature was added: https://community.ubnt.com/t5/UniFi-Updates-Blog/UniFi-4-8-18-is-released/ba... Controller 5.4.11 is now just out, and it gives firmware 3.7.39. However the 5.3.11 controller should also be fine for RADIUS-assigned VLANs. So I think you need to sort out first why your firmware isn't upgrading. Regards, Brian.
participants (2)
-
Brian Candler -
Jan-Christoph Fuchs