VLAN assigment and Alcatel Omniswitch 7800
Helo gurus. I'm new to radius, but willing to learn :) Using OpenSuSE 10.1 and freeradius-1.1.0-19 and Windows2K as AD and Alcatel Omniswitch 7800 with 802.1x and Port Mobility features enabled. I've followed the steps from: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO The authentication of WindowsXP Supplicants with EAP/PEAP is working great, now i need to assign VLANs to this setup, i've searched the list and google and found this setting for /etc/raddb/users: jose Auth-Type == EAP Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 But the port is never assigned to VLAN 3 for the user "jose". Is it possible to assign VLAN's with Alcatel ? Do i need any extra license ? Anybody have this running ? It seems to me, that the VLAN parameters are never returned to the switch in the Access-Accept parth of this the result from radiusd -X. oxiel:/etc/raddb # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = yes mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --username=%{mschap:User-Name} --request-nt-key --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.20:1067, id=206, length=91 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 NAS-Port = 85 EAP-Message = 0x020200150153414755415041435c616d6730383731 Message-Authenticator = 0x4857fea61c5a9d66c114985dba27c8a2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 206 to 192.168.10.20 port 1067 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d6d6f0ddf48bb99c12194dfda4a1c27 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=207, length=168 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x9d6d6f0ddf48bb99c12194dfda4a1c27 NAS-Port = 85 EAP-Message = 0x0203005019800000004616030100410100003d030145c3b7635173ec271fb507e42e9738c3b4f164ffc4085f6bac9ecda83ac963b300001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xb2fbd984a0e1f39320472d32182a9a49 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06e3], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 207 to 192.168.10.20 port 1067 EAP-Message = 0x0104040a19c000000740160301004a02000046030145c3b9289f95159048307de2e5d8706c092897f0ec1ac572005c17e96e26ec7f20a28e7c07be63f2cc73041f94a317f13932b2fbd6a5fe5871ef5c48cc5f66e0e500040016030106e30b0006df0006dc0002e3308202df30820248a003020102020104300d06092a864886f70d01010505003081ac310b300906035504061302424f311330110603550408130a53616e7461204372757a311c301a0603550407131353616e7461204372757a202d204369756461643111300f060355040a130853616775617061633111300f060355040b130853697374656d6173311630140603550403130d6164 EAP-Message = 0x6d696e6973747261746f72312c302a06092a864886f70d010901161d6d656e64657a2e616e647265734073616775617061632e636f6d2e626f301e170d3036313233303030323231335a170d3037313233303030323231335a3081a4310b300906035504061302424f311330110603550408130a53616e7461204372757a311c301a0603550407131353616e7461204372757a202d204369756461643111300f060355040a130853616775617061633111300f060355040b130853697374656d6173310e300c060355040313056f7869656c312c302a06092a864886f70d010901161d6d656e64657a2e616e647265734073616775617061632e636f6d EAP-Message = 0x2e626f30819f300d06092a864886f70d010101050003818d0030818902818100d4bffbbfb022a7f958b349e687938d4957a97ad7bcafb5809650d765d01756a5c00de2e70f2e8f85b11be4b9e5bef2f3ae9f1d3b0621c220b8797d1ed166e7d9a8ebeafd94917c202578632e6995ec7d71af019b0672b0b2954a482b2b692d8ddac2f4b90920f694eca2108d5cdf2a56819b7066ca84d93ce7daf81d9622850f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181004377bcfc4439739f4796cfe2f00c81d6ec2b59daf43c6e6d84c379e650ee50979acce1fff0f9b8ff2b5f4ea4 EAP-Message = 0xb0ecde0f2330b714b271df9698fdcd756f12cd137889646279b9a6f4ee7093e2dafaaa875395a366bbf9f874bad9f3ebab34b626168e0d0f3c2618916e2da198e8bccbd5ba4ad4e1370b00108e78beabfff3a0410003f3308203ef30820358a0030201020209009c7ed6d4d9c27eca300d06092a864886f70d01010505003081ac310b300906035504061302424f311330110603550408130a53616e7461204372757a311c301a0603550407131353616e7461204372757a202d204369756461643111300f060355040a130853616775617061633111300f060355040b130853697374656d6173311630140603550403130d61646d696e697374726174 EAP-Message = 0x6f72312c302a06092a864886f70d010901161d6d656e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3f79572080cc5e023f870a7ff061f9c0 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=208, length=94 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x3f79572080cc5e023f870a7ff061f9c0 NAS-Port = 85 EAP-Message = 0x020400061900 Message-Authenticator = 0x7b66c08480bde9c011c3ea836c8c7d4b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 208 to 192.168.10.20 port 1067 EAP-Message = 0x01050346190064657a2e616e647265734073616775617061632e636f6d2e626f301e170d3036313233303030323130395a170d3038313232393030323130395a3081ac310b300906035504061302424f311330110603550408130a53616e7461204372757a311c301a0603550407131353616e7461204372757a202d204369756461643111300f060355040a130853616775617061633111300f060355040b130853697374656d6173311630140603550403130d61646d696e6973747261746f72312c302a06092a864886f70d010901161d6d656e64657a2e616e647265734073616775617061632e636f6d2e626f30819f300d06092a864886f70d01 EAP-Message = 0x0101050003818d0030818902818100a7ac18689f583d3798fa66644e9a0779f600d95e1e22398818f6ae4e7237c9876bb1dcff55570a031544606660d7b641cd09cdd8f6d0fae1ad005631f6139ee924aa795047fc9a5ec9960fafbea87111b8a78e84b940685d65fe8ab8643ba8b43c8268198966f013a744b159786e0d7e4b47ee15777ec7c2e74dad5f055787d30203010001a382011530820111301d0603551d0e041604148e06fc719eca87d27e9e33510370513812b461ce3081e10603551d230481d93081d680148e06fc719eca87d27e9e33510370513812b461cea181b2a481af3081ac310b300906035504061302424f3113301106035504 EAP-Message = 0x08130a53616e7461204372757a311c301a0603550407131353616e7461204372757a202d204369756461643111300f060355040a130853616775617061633111300f060355040b130853697374656d6173311630140603550403130d61646d696e6973747261746f72312c302a06092a864886f70d010901161d6d656e64657a2e616e647265734073616775617061632e636f6d2e626f8209009c7ed6d4d9c27eca300c0603551d13040530030101ff300d06092a864886f70d0101050500038181004ea0901bc63f1d9e4e65fe67fca6dc432b009e35d3939dedb0c6b4910f8920a1404562099fa54a30a4169807aae290c93f2188d8b808696875ba EAP-Message = 0xab8df4968fc8672f948da1000b3a59aa766c9fa48b42a5fc5534a209c0db7bd21c1732f0377e94fe2ec09f619eb1c939d2a4275f6b812050d32901b820ff1cc88e7c0b21e5e316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x06b3a931efea56a67d3b12175eeadfc0 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=209, length=280 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x06b3a931efea56a67d3b12175eeadfc0 NAS-Port = 85 EAP-Message = 0x020500c01980000000b616030100861000008200800d59b5ba20edb2d54cd0d56be84aa6133a0b2628cd1ca03c0254343106a80a06ae14b39969a0feb9613d84a85a14917f95379ec54a8754d4808477557e179694065ac61dbe7841ae33223f2f8d1976886ca4f3b54e942c3fb697ba293a8fedf822348fd2c4c0a68505f1c6b67878d5c31cb5663fdd5e976675fce1ed3421e55c1403010001011603010020e023e4faf2cc10f4334474ed9751c5a959ffc9241ea03e2bf209c5f29cd8a2c3 Message-Authenticator = 0x11546e4b95a7e95f3dfdeb0f29124125 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 209 to 192.168.10.20 port 1067 EAP-Message = 0x0106003119001403010001011603010020f67af346039e8ee2405b3764ad5f918dfe61c4af3546e8ad1dd15bd21ca0d376 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x917ea9cbbe5c65d8ed6bff5fdcca7db7 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=210, length=94 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x917ea9cbbe5c65d8ed6bff5fdcca7db7 NAS-Port = 85 EAP-Message = 0x020600061900 Message-Authenticator = 0xa8af04dbd0c91ab153eacfb1b8b1f172 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 210 to 192.168.10.20 port 1067 EAP-Message = 0x01070020190017030100156bd5621bae4fb38c5dbe91e2c3b6c323cf23571705 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98187c2d49a89527610d15cdff70fff3 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=211, length=132 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x98187c2d49a89527610d15cdff70fff3 NAS-Port = 85 EAP-Message = 0x0207002c19001703010021016436b91df2958d8e27a515af65591aa2c33e93d338a338ff2c309d65ff914296 Message-Authenticator = 0xaaadbac57d1774f3ce893f338f253858 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 44 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - MYDOMAIN\jose rlm_eap_peap: Tunneled data is valid. PEAP: Got tunneled identity of MYDOMAIN\jose PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to MYDOMAIN\jose Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 7 length 21 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 211 to 192.168.10.20 port 1067 EAP-Message = 0x010800411900170301003630ab9d3435ef1d9c7dc7e6f242cd9270664e0e0fb207b960deb02b81bcd1b744a3888a0a56fe498640433309cac513a1bf3aa1674bde Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7a92e7a96eacd44d4fd1ff63e908e9e2 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=212, length=186 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x7a92e7a96eacd44d4fd1ff63e908e9e2 NAS-Port = 85 EAP-Message = 0x0208006219001703010057df9dbbc7ef4684b090bdc706cd290f6f1fef65e3cdbb93aa0b1577dede1e9be3922c12e5af05e556bd3f9802d88d1c591ae180857fc263931b085e38adfdfe9d52508d6475a8b1b95de28fcd44329a3c916a40863eb07d Message-Authenticator = 0xcefaa60b5f32ef01b79a062ee8e8f3fe Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to MYDOMAIN\jose PEAP: Adding old state with 3c ec Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 8 length 75 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jose with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: a9 radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --username=jose --request-nt-key --domain=MYDOMAIN --challenge=23482ae45d3e185d --nt-response=144c32fdf284bad9c7d9d789db878b80428eaa7ad9ae1a42' Exec-Program: /usr/bin/ntlm_auth --username=jose --request-nt-key --domain=MYDOMAIN --challenge=23482ae45d3e185d --nt-response=144c32fdf284bad9c7d9d789db878b80428eaa7ad9ae1a42 Exec-Program output: NT_KEY: 0A83D7C2B162B94C31CE636B6CA6ECCC Exec-Program-Wait: plaintext: NT_KEY: 0A83D7C2B162B94C31CE636B6CA6ECCC Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 6 modcall: leaving group MS-CHAP (returns ok) for request 6 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 212 to 192.168.10.20 port 1067 EAP-Message = 0x0109004a1900170301003fb564a89db69f923da3b09305d5b6869317541502643d9f145c8d9a34b6b85d9665ebfc45825ac25a188472d3c2f691811a34f54f2d7b08242e961c2592bc38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3be7bff9e8a4a52effea7ebb58c23d24 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=213, length=117 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x3be7bff9e8a4a52effea7ebb58c23d24 NAS-Port = 85 EAP-Message = 0x0209001d19001703010012f357dcf3cd2394e7337a3b0eaaa702c74609 Message-Authenticator = 0x022702d1f3f76c72f2b4d875449abc97 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to MYDOMAIN\jose PEAP: Adding old state with 6b 13 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 7 modcall: leaving group authenticate (returns ok) for request 7 PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 213 to 192.168.10.20 port 1067 EAP-Message = 0x010a00261900170301001b37f4320b69bebda8e841f4a55f6b41d84be0b529cb34d5a4357b38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5597f1b859aff68c52dff25df3151a93 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.10.20:1067, id=214, length=126 User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 State = 0x5597f1b859aff68c52dff25df3151a93 NAS-Port = 85 EAP-Message = 0x020a00261900170301001beac5a6d4d8702084479528a2ebd32267a4b66e9fbfef2b28315132 Message-Authenticator = 0x1f655acb0e50dfe0dd70edac651c8093 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 10 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 161 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 214 to 192.168.10.20 port 1067 MS-MPPE-Recv-Key = 0x0206f3af33e5e4224da7e663dfc79d8ff204c559d839a39343e1c91ad4198502 MS-MPPE-Send-Key = 0xae765f9bcca046bb7be43f55bbb5673120009c23275ed77f1526cef3639e3272 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "MYDOMAIN\\jose" Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Accounting-Request packet from host 192.168.10.20:1067, id=215, length=82 Acct-Status-Type = Start User-Name = "MYDOMAIN\\jose" NAS-IP-Address = 192.168.10.20 Acct-Session-Id = "0015c5551a97" NAS-Port = 85 Xylan-Slot-Port = "3/17" Processing the preacct section of radiusd.conf modcall: entering group preacct for request 9 modcall[preacct]: module "preprocess" returns noop for request 9 rlm_acct_unique: Hashing 'NAS-Port = 85,Client-IP-Address = 192.168.10.20,NAS-IP-Address = 192.168.10.20,Acct-Session-Id = "0015c5551a97",User-Name = "MYDOMAIN\\jose"' rlm_acct_unique: Acct-Unique-Session-ID = "eed7faa245223d13". modcall[preacct]: module "acct_unique" returns ok for request 9 rlm_realm: No '@' in User-Name = "MYDOMAIN\jose", looking up realm NULL rlm_realm: No such realm "NULL" modcall[preacct]: module "suffix" returns noop for request 9 modcall[preacct]: module "files" returns noop for request 9 modcall: leaving group preacct (returns ok) for request 9 Processing the accounting section of radiusd.conf modcall: entering group accounting for request 9 radius_xlat: '/var/log/radius/radacct/192.168.10.20/detail-20070202' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.10.20/detail-20070202 modcall[accounting]: module "detail" returns ok for request 9 modcall[accounting]: module "unix" returns ok for request 9 radius_xlat: '/var/log/radius/radutmp' radius_xlat: 'MYDOMAIN\\jose' modcall[accounting]: module "radutmp" returns ok for request 9 modcall: leaving group accounting (returns ok) for request 9 Sending Accounting-Response of id 215 to 192.168.10.20 port 1067 Finished request 9 Going to the next request Cleaning up request 9 ID 215 with timestamp 45c3b928 Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 206 with timestamp 45c3b928 Cleaning up request 1 ID 207 with timestamp 45c3b928 Cleaning up request 2 ID 208 with timestamp 45c3b928 Cleaning up request 3 ID 209 with timestamp 45c3b928 Cleaning up request 4 ID 210 with timestamp 45c3b928 Cleaning up request 5 ID 211 with timestamp 45c3b928 Cleaning up request 6 ID 212 with timestamp 45c3b928 Cleaning up request 7 ID 213 with timestamp 45c3b928 Cleaning up request 8 ID 214 with timestamp 45c3b928 Nothing to do. Sleeping until we see a request. Thanks and best regards to all of you. Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
Oxiel Contreras wrote: The authentication of WindowsXP Supplicants with EAP/PEAP is working great,
now i need to assign VLANs to this setup, i've searched the list and google and found this setting for /etc/raddb/users:
jose Auth-Type == EAP
Don't set Auth-Type. Ever.
Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3
But the port is never assigned to VLAN 3 for the user "jose".
Because that information isn't being sent back to the NAS.
Is it possible to assign VLAN's with Alcatel ?
I presume so. See the Alacatel documentation.
It seems to me, that the VLAN parameters are never returned to the switch in the Access-Accept parth of this the result from radiusd -X.
Yes. The username in the request is "MYDOMAIN\\jose", not "jose". Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hello Alan. Thank you, as you adviced i've changed users file, now it's : "MYDOMAIN\\jose" Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3 The Access-Accept part of radiusd -X is now sending the switch the correct information: modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 1 to 192.168.10.20 port 1068 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += "3" MS-MPPE-Recv-Key = 0x2c003c698c883936e741aeed8974f40eb012d38af20400bdd0815dac46dc2e0b MS-MPPE-Send-Key = 0x92807250a6760157aa6a39f9a05239c3d28bce8c5b7dc3563bd2ddc7cae2893e EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "MYDOMAIN\\jose" Finished request 8 But still the VLAN is not assigned, what else can it be ? Best regards. Oxiel
Don't set Auth-Type. Ever.
Tunnel-Type += VLAN, Tunnel-Medium-Type += IEEE-802, Tunnel-Private-Group-Id += 3
But the port is never assigned to VLAN 3 for the user "jose".
Because that information isn't being sent back to the NAS.
Is it possible to assign VLAN's with Alcatel ?
I presume so. See the Alacatel documentation.
It seems to me, that the VLAN parameters are never returned to the
switch in
the Access-Accept parth of this the result from radiusd -X.
Yes. The username in the request is "MYDOMAIN\\jose", not "jose". Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
On Thu, 8 Feb 2007, Oxiel Contreras wrote:
The Access-Accept part of radiusd -X is now sending the switch the correct information:
modcall[authenticate]: module "eap" returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 1 to 192.168.10.20 port 1068 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += "3" MS-MPPE-Recv-Key = 0x2c003c698c883936e741aeed8974f40eb012d38af20400bdd0815dac46dc2e0b MS-MPPE-Send-Key = 0x92807250a6760157aa6a39f9a05239c3d28bce8c5b7dc3563bd2ddc7cae2893e EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "MYDOMAIN\\jose" Finished request 8
But still the VLAN is not assigned, what else can it be ?
Have you checked the documentation for the Omniswitch to verify that it supports this? If I send back the same attributes on my wireless access points, it works perfectly (we do this in production). The AP's, however, support that. -j -- Jeremy L. Gaddis, MCP, GCWN jeremy@linuxwiz.net LinuxWiz Consulting http://linuxwiz.net
Hello Jeremy.
Have you checked the documentation for the Omniswitch to verify that it supports this? If I send back the same attributes on my wireless access points, it works perfectly (we do this in production). The AP's, however, support that.
I'll check it again, it's became difficult to talk to tech support from Alcatel, in the mean time they've told me that i'll need some sort of license to support vlan assignment, i think they call it "Authenticated VLAN", even more, they've suggested me another radius server "Steel-Belted Radius" from Funk Software which now happens to be part of Juniper, disgusting ... , i'm reluclant to use it, i'm starting to learn a lot with freeradius, and won't change it. If it's true, i wonder why this brand (and model) of switch, been so expensive, needs an extra license to do something which is free with others (cisco, 3com, etc ) ? Well i'm dissappointed, maybe someone from Alcatel could give me a better explanation. Best regards to all of you. Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
Hello!
Have you checked the documentation for the Omniswitch to verify that it supports this? If I send back the same attributes on my wireless access points, it works perfectly (we do this in production). The AP's, however, support that.
I'll check it again, it's became difficult to talk to tech support from Alcatel, in the mean time they've told me that i'll need some sort of license to support vlan assignment, i think they call it "Authenticated VLAN", even more,
I suggest you look into chapter 22 of your 7700/7800/8800 Network Configuration Guide, where dot1x is explained. Somewhere in the first few pages of this chapter is an explanation of assigning users to VLANs based on RADIUS authentication. Authenticated VLAN appears to be something completely different (although it uses RADIUS and assigns VLANs to users, the methods are different, probably more like a captive portal). It looks like you'll need to provide the VLAN number in a VSA (see chapter 20).
Well i'm dissappointed, maybe someone from Alcatel could give me a better explanation.
Because I work at Alcatel-Lucent (as you can probably see from my e-mail address), a big fat disclaimer is in place: This mail does not represent Alcatel-Lucent in any way. Everything I have written in this mail is either my opinion or information I interpreted from publically available documents (I found the manuals through Google on a server that, judging from its name, is open for public access). I don't work in a department that has anything to do with Omniswitches and have not used them myself. Because of that, this information may be inaccurate or even plain wrong, Alcatel-Lucent is not responsible for the accuracy of this information. I'm just trying to be helpful here based on what I know. Gtnx Marcel
Hello Marcel
I suggest you look into chapter 22 of your 7700/7800/8800 Network Configuration Guide, where dot1x is explained. Somewhere in the first few pages of this chapter is an explanation of assigning users to VLANs based on RADIUS authentication. Authenticated VLAN appears to be something completely different (although it uses RADIUS and assigns VLANs to users, the methods are different, probably more like a captive portal). It looks like you'll need to provide the VLAN number in a VSA (see chapter 20).
I did read it, that's why i began to try this setup at the first place, but i've to confess my ignorance about the VSA topic, didn't understand it completely until recently, thanks a lot for your help.
Because I work at Alcatel-Lucent (as you can probably see from my e-mail address), a big fat disclaimer is in place: This mail does not represent Alcatel-Lucent in any way. Everything I have written in this mail is either my opinion or information I interpreted from publically available documents (I found the manuals through Google on a server that, judging from its name, is open for public access). I don't work in a department that has anything to do with Omniswitches and have not used them myself. Because of that, this information may be inaccurate or even plain wrong, Alcatel-Lucent is not responsible for the accuracy of this information. I'm just trying to be helpful here based on what I know.
Indeed you were right, and i was wrong, at least according to what i was told from support at first consult. For your tranquillity and my happiness :) it happens that no licenses were needed to support this task, i'll let you know what is the final setup and solution. Thanks for your help again. Best regards Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
You can not use the standard attributes : Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += "3" The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you should check the user manual. I think they will use the standard attributes in next release. Santa Yeh Oxiel Contreras ??:
Hello Jeremy.
Have you checked the documentation for the Omniswitch to verify that it supports this? If I send back the same attributes on my wireless access points, it works perfectly (we do this in production). The AP's, however, support that.
I'll check it again, it's became difficult to talk to tech support from Alcatel, in the mean time they've told me that i'll need some sort of license to support vlan assignment, i think they call it "Authenticated VLAN", even more, they've suggested me another radius server "Steel-Belted Radius" from Funk Software which now happens to be part of Juniper, disgusting ... , i'm reluclant to use it, i'm starting to learn a lot with freeradius, and won't change it.
If it's true, i wonder why this brand (and model) of switch, been so expensive, needs an extra license to do something which is free with others (cisco, 3com, etc ) ?
Well i'm dissappointed, maybe someone from Alcatel could give me a better explanation.
Best regards to all of you.
Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Santa. El Domingo, 11 de Febrero de 2007 22:57, Santa Yeh escribió:
You can not use the standard attributes :
Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += "3"
The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you should check the user manual.
I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these: ATTRIBUTE Alcatel-Auth-Group 134 integer and modified users file like these: Tunnel-Type += 13, Tunnel-Medium-Type += 6, Alcatel-Auth-Group += 3 now i see the Access-Accept part of the log which is sent it with the attribute, but nothing happens. Sending Access-Accept of id 181 to 192.168.10.20 port 1074 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Alcatel-Auth-Group += 3 MS-MPPE-Recv-Key = 0xc90404d5af28944ae97417b2336cf56e204fe5afab5c7c7e7e50045ec24473b3 MS-MPPE-Send-Key = 0xc990b966cc4bed66c7be062e54795ddb253efe28c8426ecbb298d302c64b9359 EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "MYDOMAIN\\jose" Finished request 8 Could you please pass me the relevant parts of your switch setup ? vlan port mobile vlan authentication aaa Is it necessary to defina vlan rules on the switch in order to move the mobile port to the vlan designed with Alcatel-Auth-Group ? Thanks and best regards Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
Hi Oxiel!
I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these:
ATTRIBUTE Alcatel-Auth-Group 134 integer
and modified users file like these:
Tunnel-Type += 13, Tunnel-Medium-Type += 6, Alcatel-Auth-Group += 3
I'm afraid you added it in the wrong place, dictionary.alcatel does not contain the VSAs for Omniswitches (Alcatel-Lucent has multiple dictionaries for different products, dictionary.alcatel appears to be for a BRAS, not for an enterprise switch). The dictionary you're looking for is dictionary.xylan; the easiest way is to use Xylan-Auth-Group for sending your VLAN (The name isn't really that important, what is important is that the number for the attribute is correct (1 in this case) and that it is defined with the proper vendor number (800 for Omniswitches)). Gtnx Marcel (The disclaimer again, just to prevent trouble) This mail does not represent Alcatel-Lucent in any way. Everything I have written in this mail is either my opinion or information I interpreted from publically available documents (I found the manuals through Google on a server that, judging from its name, is open for public access). I don't work in a department that has anything to do with Omniswitches and have not used them myself. Because of that, this information may be inaccurate or even plain wrong, Alcatel-Lucent is not responsible for the accuracy of this information. I'm just trying to be helpful here based on what I know.
Hello Marcel.
I'm afraid you added it in the wrong place, dictionary.alcatel does not contain the VSAs for Omniswitches (Alcatel-Lucent has multiple dictionaries for different products, dictionary.alcatel appears to be for a BRAS, not for an enterprise switch). The dictionary you're looking for is dictionary.xylan; the easiest way is to use Xylan-Auth-Group for sending your VLAN (The name isn't really that important, what is important is that the number for the attribute is correct (1 in this case) and that it is defined with the proper vendor number (800 for Omniswitches)).
Right, indeed used Xylan-Auth-Group and worked perfectly, i'm so happy a tear fell down :) Many thanks. Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
Hello Oxiel, Are you doing AVLAN or 802.1x? 1. I created a new file - dictionary.alcatel # # dictionary.alcatel # # Alcatel VSAs # VENDOR Alcatel 800 # # Standard attribute # ATTRIBUTE Alcatel-Auth-Group 1 integer Alcatel ATTRIBUTE Alcatel-Slot-Port 2 string Alcatel ATTRIBUTE Alcatel-Time-of-Day 3 string Alcatel ATTRIBUTE Alcatel-Client-IP-Addr 4 ipaddr Alcatel ATTRIBUTE Alcatel-Group-Desc 5 string Alcatel ATTRIBUTE Alcatel-Port-Desc 6 string Alcatel VALUE Acct-Authentic AUTH-AVCLIENT 4 VALUE Acct-Authentic AUTH-TELNET 5 VALUE Acct-Authentic AUTH-HTTP 6 2. For users file user1 Auth-Type := Local, Password = "user1" Alcatel-Auth-Group = 3 3. For AVLAN vlan 3 authentication enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 authenticate enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication vlan single-mode rad1 aaa accounting vlan rad1 aaa avlan default dhcp 192.168.11.254 aaa avlan dns alcatel avlan 3 auth-ip 192.168.11.253 4. For 802.1x (Sorry, just from my memory) vlan 3 802.1x enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 802.1x enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication 802.1x rad1 aaa accounting 802/1x rad1 Regards, Santa Yeh Oxiel Contreras ??:
Hello Santa.
El Domingo, 11 de Febrero de 2007 22:57, Santa Yeh escribió:
You can not use the standard attributes :
Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Tunnel-Private-Group-Id:0 += "3"
The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you should check the user manual.
I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these:
ATTRIBUTE Alcatel-Auth-Group 134 integer
and modified users file like these:
Tunnel-Type += 13, Tunnel-Medium-Type += 6, Alcatel-Auth-Group += 3
now i see the Access-Accept part of the log which is sent it with the attribute, but nothing happens.
Sending Access-Accept of id 181 to 192.168.10.20 port 1074 Tunnel-Type:0 += VLAN Tunnel-Medium-Type:0 += IEEE-802 Alcatel-Auth-Group += 3 MS-MPPE-Recv-Key = 0xc90404d5af28944ae97417b2336cf56e204fe5afab5c7c7e7e50045ec24473b3 MS-MPPE-Send-Key = 0xc990b966cc4bed66c7be062e54795ddb253efe28c8426ecbb298d302c64b9359 EAP-Message = 0x030d0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "MYDOMAIN\\jose" Finished request 8
Could you please pass me the relevant parts of your switch setup ?
vlan port mobile vlan authentication aaa
Is it necessary to defina vlan rules on the switch in order to move the mobile port to the vlan designed with Alcatel-Auth-Group ?
Thanks and best regards
Oxiel Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello Santa. This worked great!!! I was doing 802.1x only, no AVLAN. For any soul out there trying to implement 802.1x with FreeRadius on OpenSuSE10.1 and Omniswitch 7800 and Active Directory as taught on: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Take note of the following points: 1) If you use PEAP, install the patch from MS to Radius as noted on the FAQ, you need someone with Gold Support from M$ to get it or email me off the list :) http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ#PEAP_Doesn.27t_Work 2) If PEAP is your election, install the CA and generate the certificates on the Radius server. 3) Modify the permissions of execution for the winbind daemon in order to acomplish the ntlm_auth process, FIXME, now using root permissions. 4) Use Xylan-Auth-Group as VSA in /etc/raddb/users as the attribute for assigning VLAN, or generate the new dictionary.alcatel as Santa Yeh described below, and then use Alcatel-Auth-Group as the attribute for VLAN 5) Use the setup for omniswitch as described below by Santa Yeh 6) Thank all these great people who develop and support this great software. Thanks Alan, A.L.M., Jeremy, Marcel and Santa. Best regards Oxiel El Miércoles, 14 de Febrero de 2007 11:19, Santa Yeh escribió:
Hello Oxiel,
Are you doing AVLAN or 802.1x?
1. I created a new file - dictionary.alcatel
# # dictionary.alcatel # # Alcatel VSAs #
VENDOR Alcatel 800
# # Standard attribute # ATTRIBUTE Alcatel-Auth-Group 1 integer Alcatel ATTRIBUTE Alcatel-Slot-Port 2 string Alcatel ATTRIBUTE Alcatel-Time-of-Day 3 string Alcatel ATTRIBUTE Alcatel-Client-IP-Addr 4 ipaddr Alcatel ATTRIBUTE Alcatel-Group-Desc 5 string Alcatel ATTRIBUTE Alcatel-Port-Desc 6 string Alcatel
VALUE Acct-Authentic AUTH-AVCLIENT 4 VALUE Acct-Authentic AUTH-TELNET 5 VALUE Acct-Authentic AUTH-HTTP 6
2. For users file
user1 Auth-Type := Local, Password = "user1" Alcatel-Auth-Group = 3
3. For AVLAN
vlan 3 authentication enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 authenticate enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication vlan single-mode rad1 aaa accounting vlan rad1 aaa avlan default dhcp 192.168.11.254 aaa avlan dns alcatel avlan 3 auth-ip 192.168.11.253
4. For 802.1x (Sorry, just from my memory)
vlan 3 802.1x enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 802.1x enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication 802.1x rad1 aaa accounting 802/1x rad1 Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
Hi Oxiel Please update the HOWTO and possibly the FAQ with your comments. Regards Peter On Thu 15 Feb 2007 04:30, Oxiel Contreras wrote:
Hello Santa.
This worked great!!!
I was doing 802.1x only, no AVLAN.
For any soul out there trying to implement 802.1x with FreeRadius on OpenSuSE10.1 and Omniswitch 7800 and Active Directory as taught on:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
Take note of the following points:
1) If you use PEAP, install the patch from MS to Radius as noted on the FAQ, you need someone with Gold Support from M$ to get it or email me off the list :)
http://wiki.freeradius.org/FreeRADIUS_Wiki:FAQ#PEAP_Doesn.27t_Work
2) If PEAP is your election, install the CA and generate the certificates on the Radius server.
3) Modify the permissions of execution for the winbind daemon in order to acomplish the ntlm_auth process, FIXME, now using root permissions.
4) Use Xylan-Auth-Group as VSA in /etc/raddb/users as the attribute for assigning VLAN, or generate the new dictionary.alcatel as Santa Yeh described below, and then use Alcatel-Auth-Group as the attribute for VLAN
5) Use the setup for omniswitch as described below by Santa Yeh
6) Thank all these great people who develop and support this great software.
Thanks Alan, A.L.M., Jeremy, Marcel and Santa.
Best regards
Oxiel
El Miércoles, 14 de Febrero de 2007 11:19, Santa Yeh escribió:
Hello Oxiel,
Are you doing AVLAN or 802.1x?
1. I created a new file - dictionary.alcatel
# # dictionary.alcatel # # Alcatel VSAs #
VENDOR Alcatel 800
# # Standard attribute # ATTRIBUTE Alcatel-Auth-Group 1 integer Alcatel ATTRIBUTE Alcatel-Slot-Port 2 string Alcatel ATTRIBUTE Alcatel-Time-of-Day 3 string Alcatel ATTRIBUTE Alcatel-Client-IP-Addr 4 ipaddr Alcatel ATTRIBUTE Alcatel-Group-Desc 5 string Alcatel ATTRIBUTE Alcatel-Port-Desc 6 string Alcatel
VALUE Acct-Authentic AUTH-AVCLIENT 4 VALUE Acct-Authentic AUTH-TELNET 5 VALUE Acct-Authentic AUTH-HTTP 6
2. For users file
user1 Auth-Type := Local, Password = "user1" Alcatel-Auth-Group = 3
3. For AVLAN
vlan 3 authentication enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 authenticate enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication vlan single-mode rad1 aaa accounting vlan rad1 aaa avlan default dhcp 192.168.11.254 aaa avlan dns alcatel avlan 3 auth-ip 192.168.11.253
4. For 802.1x (Sorry, just from my memory)
vlan 3 802.1x enable vlan port mobile 1/1 bpdu ignore enable vlan port 1/1 802.1x enable ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3 aaa radius-server rad1 host 192.168.10.211 key radkey aaa authentication 802.1x rad1 aaa accounting 802/1x rad1
Chiacchiera con i tuoi amici in tempo reale! http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc
participants (6)
-
Alan DeKok -
Gaddis, Jeremy L. -
Marcel.De_Boer@alcatel-lucent.be -
Oxiel Contreras -
Peter Nixon -
Santa Yeh