Hallo, I have a problem with the authentication on different VLAN. I write for you my example: I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and SSID2) on my Cisco 1200 AP. I have the same authentication on both connection (EAP-TLS). In my users file I have two user: user1 Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1. It is possible to prevent the connection to the select SSID if the certificate of the user is incorrect? Thanks, bye
Yes, just use the Cisco AV Pair to say user1 Auth-Type := EAP, Cisco-AVPair := "SSID=SSID1" user2 Auth-Type := EAP, Cisco-AVPair := "SSID=SSID2" That would force user1 to only associate to SSID1 and user2 to only associate to SSID2. You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = "SSID=SSIDn" back to the AP and if it doesn't match, then it can locally fail to authorize the user. Rgds, Guy On 29/03/06, Antonio Matera <antonio.matera@create-net.it> wrote:
Hallo, I have a problem with the authentication on different VLAN.
I write for you my example:
I have two VLAN (VLAN1 and VLAN2) conneccted to two SSID (SSID1 and SSID2) on my Cisco 1200 AP. I have the same authentication on both connection (EAP-TLS).
In my users file I have two user:
user1 Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN
user2 Auth-Type := EAP Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN
the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1.
It is possible to prevent the connection to the select SSID if the certificate of the user is incorrect?
Thanks, bye - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--On Wednesday, March 29, 2006 09:11:13 +0100 Guy Davies <aguydavies@gmail.com> wrote:
You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = "SSID=SSIDn" back to the AP and if it doesn't match, then it can locally fail to authorize the user.
I don't think 1200's do send the attribute by default in the access-request. To make it do so, use this command: radius-server vsa send authentication Regards, James -- James J J Hooper, Information Services University of Bristol --
Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work... Now I try the "radius-server vsa send authentication" command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting.... Another question: Where can I find the list of the user attributes for freeradius? Here http://www.freeradius.org/rfc/attributes.html for example I can't find the Cisco-AVPair attribute... Thanks a lot Bye Antonio James J J Hooper ha scritto:
--On Wednesday, March 29, 2006 09:11:13 +0100 Guy Davies <aguydavies@gmail.com> wrote:
You *may* need to change them from being check attributes to reply attributes if your AP doesn't actually send those attributes with an Access-Request. In that case, you send the Cisco-AVPair = "SSID=SSIDn" back to the AP and if it doesn't match, then it can locally fail to authorize the user.
I don't think 1200's do send the attribute by default in the access-request. To make it do so, use this command: radius-server vsa send authentication
Regards, James
-- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- ---------------------------------------------- Antonio Matera CREATE-NET Via Solteri, 38 - 38100 Trento e-mail: antonio.matera@create-net.it phone: +39 0461 408400 ext. 305 fax: +39 0461 421157 www.create-net.org ----------------------------------------------
--On Wednesday, March 29, 2006 12:20:57 +0200 Antonio Matera <antonio.matera@create-net.it> wrote:
Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work...
Now I try the "radius-server vsa send authentication" command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting....
yes, either at the console or go to this url: <https://YOUR-ACCESS-POINT-ADDRESS/level/15/configure/-/radius-server/vsa/send/authentication/CR> (you may need to use http instead of https) Regards, James -- James J J Hooper, Information Services University of Bristol --
The Cisco-AVPair mechanism is a mutation of the standard VSA mechanism. Cisco uses a single Vendor ID but wanted to use many VSAs. The limit with a single Vendor ID is 255 (IIRC). So, Cisco's Vendor Specific Attribute number 1 is "Cisco-AVPair". They then create "sub-VSAs" within that VSA using the textual syntax Cisco-AVPair="Sub-VSA-name=Sub-VSA-value" To get a list of relevant VSAs, you really need to refer to Cisco's documentation. Rgds, Guy On 29/03/06, James J J Hooper <jjj.hooper@bristol.ac.uk> wrote:
--On Wednesday, March 29, 2006 12:20:57 +0200 Antonio Matera <antonio.matera@create-net.it> wrote:
Hallo, thanks for the replies. If I insert only the Cisco-AVPair attribute, it doesn't work...
Now I try the "radius-server vsa send authentication" command... It is a AP console command? It is possible to set this command from the AP web interface? I haven't experience with the console setting....
yes, either at the console or go to this url: <https://YOUR-ACCESS-POINT-ADDRESS/level/15/configure/-/radius-server/vsa/send/authentication/CR>
(you may need to use http instead of https)
Regards, James
-- James J J Hooper, Information Services University of Bristol -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hallo, now I have the users configured as follow: user1 Auth-Type := EAP Cisco-AVPair := "ssid=SSID1", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP Cisco-AVPair := "ssid=SSID2", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN The AP has the radius-server vsa send authentication, but when I connect for example to the SSID2 using user1, radius write this log for a big number of request: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, length=137 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "xxxx.xxxx.xxxx" Calling-Station-Id = "xxxx.xxxx.xxxx" Service-Type = Login-User Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 1215 State = 0x15f928ed12d8d4d1a278530b6dd26c21 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 53 modcall[authorize]: module "preprocess" returns ok for request 53 modcall[authorize]: module "mschap" returns noop for request 53 rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 53 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 53 users: Matched entry user1 at line 14 modcall[authorize]: module "files" returns ok for request 53 modcall: leaving group authorize (returns updated) for request 53 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 53 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 53 modcall: leaving group authenticate (returns ok) for request 53 Login OK: [user1/<no User-Password attribute>] (from client ap-test port 1215 cli 000c.f135.f1ba) Sending Access-Accept of id 167 to 192.168.9.104 port 1645 Cisco-AVPair := "ssid=SSID1" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011 MS-MPPE-Send-Key = 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1" Finished request 53 The XP client tell that the SSID2 is connected, but if I try to navigate on the VLAN1 or VLAN2 i can't do it. Why the radius receive a big number of request from the client and it doesn't sent a failed authorization? It is possible to eliminate the requests after the first? It is possible to send to the XP client a failed authorization? At the moment the client doesn't understand if it is or isn't connected to the SSID. Thanks a lot for your time Bye Antonio
Hi Antonio, If you're using the Cisco-AVPair as a check item, it *must* be on the first line of the user entry. e.g. user1 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" ... reply items here, one per line... If you want to configure it as a reply item, it should be... Cisco-AVPair = "ssid=SSID1" NOTE: =, not := for the reply item. Rgds, Guy On 29/03/06, Antonio Matera <antonio.matera@create-net.it> wrote:
Hallo, now I have the users configured as follow:
user1 Auth-Type := EAP Cisco-AVPair := "ssid=SSID1", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN
user2 Auth-Type := EAP Cisco-AVPair := "ssid=SSID2", Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN
The AP has the radius-server vsa send authentication, but when I connect for example to the SSID2 using user1, radius write this log for a big number of request:
rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, length=137 User-Name = "user1" Framed-MTU = 1400 Called-Station-Id = "xxxx.xxxx.xxxx" Calling-Station-Id = "xxxx.xxxx.xxxx" Service-Type = Login-User Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 1215 State = 0x15f928ed12d8d4d1a278530b6dd26c21 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 53 modcall[authorize]: module "preprocess" returns ok for request 53 modcall[authorize]: module "mschap" returns noop for request 53 rlm_realm: No '@' in User-Name = "user1", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 53 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 53 users: Matched entry user1 at line 14 modcall[authorize]: module "files" returns ok for request 53 modcall: leaving group authorize (returns updated) for request 53 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 53 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 53 modcall: leaving group authenticate (returns ok) for request 53 Login OK: [user1/<no User-Password attribute>] (from client ap-test port 1215 cli 000c.f135.f1ba) Sending Access-Accept of id 167 to 192.168.9.104 port 1645 Cisco-AVPair := "ssid=SSID1" Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011 MS-MPPE-Send-Key = 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user1" Finished request 53
The XP client tell that the SSID2 is connected, but if I try to navigate on the VLAN1 or VLAN2 i can't do it.
Why the radius receive a big number of request from the client and it doesn't sent a failed authorization? It is possible to eliminate the requests after the first? It is possible to send to the XP client a failed authorization? At the moment the client doesn't understand if it is or isn't connected to the SSID.
Thanks a lot for your time Bye Antonio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Antonio Matera <antonio.matera@create-net.it> wrote:
the authentication works fine but , for example, if I connect the WinXP client on the SSID1 with the certificate user of the VLAN2, I have this situation: The client is connected to the VLAN2 but the SSID of the wireless connection is SSID1.
So prevent that. The Calling-Station-Id *should* contain the SSID after the MAC address. Run the server in debug mode to see this. Then, use a regular expression to match the SSID. Alan DeKok.
--On 30 March 2006 09:56 +0200 Antonio Matera <antonio.matera@create-net.it> wrote:
In my log after the MAC address there isn't any information on the SSID. In the log i haven't information on the SSID.... but in my aP configuration I have the radius-server vsa send accounting: ^^^^^ What is wrong? I don't understand of is the mistake.....
You misread my previous email .... you need: radius-server vsa send authentication ^^^^^^^^^^ this makes the cisco include the ssid in the AUTHENTICATION request which is what you need. Presently you only have: radius-server vsa send accounting so the SSID is only being sent in accounting packets. (having both is fine) Regards, James -- James J J Hooper, Information Services University of Bristol --
hi, ok, now the authentication request works (the problem was that if I restart the AP I lost this configuration. How can I save it using the web configuration?) Now the log is the following: rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module "files" returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/<no User-Password attribute>] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "TEST4" Finished request 18 and I have this users: TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN user2 Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN Now in the log there is Cisco-AVPair = "ssid=VLAN3" but user TEST4 is authenticated on the incorrect SSID (VLAN3). I suppose that the Cisco-AVPair check doesn't work in my configuration.... Are there other mistakes? Thanks for your answers... Bye Antonio
You misread my previous email .... you need: radius-server vsa send authentication ^^^^^^^^^^
this makes the cisco include the ssid in the AUTHENTICATION request which is what you need. Presently you only have: radius-server vsa send accounting
so the SSID is only being sent in accounting packets.
(having both is fine)
Regards, James
-- James J J Hooper, Information Services University of Bristol --
Anyone can help me please? Thanks, Antonio on 30/03/2006 17.39 Antonio Matera said the following:
hi, ok, now the authentication request works (the problem was that if I restart the AP I lost this configuration. How can I save it using the web configuration?)
Now the log is the following:
rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, length=166 User-Name = "TEST4" Framed-MTU = 1400 Called-Station-Id = "0012.dacb.8420" Calling-Station-Id = "000c.f135.f1ba" Cisco-AVPair = "ssid=VLAN3" Service-Type = Login-User Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 EAP-Message = 0x020600060d00 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "260" NAS-Port = 260 State = 0x0491685cf8ece3184d685dedfedbb3d4 NAS-IP-Address = 192.168.9.104 NAS-Identifier = "ap" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 modcall[authorize]: module "mschap" returns noop for request 18 rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 18 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched entry TEST4 at line 11 modcall[authorize]: module "files" returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 18 modcall: leaving group authenticate (returns ok) for request 18 Login OK: [TEST4/<no User-Password attribute>] (from client ap-test port 260 cli 000c.f135.f1ba) Sending Access-Accept of id 19 to 192.168.9.104 port 1645 Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" Tunnel-Type:0 = VLAN MS-MPPE-Recv-Key = 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da MS-MPPE-Send-Key = 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "TEST4" Finished request 18
and I have this users:
TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2, Tunnel-Type = VLAN
user2 Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3" Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 3, Tunnel-Type = VLAN
Now in the log there is Cisco-AVPair = "ssid=VLAN3" but user TEST4 is authenticated on the incorrect SSID (VLAN3). I suppose that the Cisco-AVPair check doesn't work in my configuration.... Are there other mistakes?
Thanks for your answers... Bye Antonio
participants (4)
-
Alan DeKok -
Antonio Matera -
Guy Davies -
James J J Hooper