Cisco AP Vlan assignment when proxying EAP-PEAP?

Josh Howlett josh.howlett at bristol.ac.uk
Tue Nov 8 17:30:11 CET 2005 

Hi Jezz,

Palmer J.D.F. wrote:
> Hi,
> 
> Can anyone tell me if it's possible to proxy EAP-PEAP from a Cisco Aironet
> to an IAS server via FreeRADIUS (I can do this bit), then, set the user's
> VLAN information within FreeRADIUS in the access-accept packet returned to
> the AP?

Yes - write a script that outputs the relevant attributes to stdout, and 
specify it in an "exec" clause in radiusd.conf, making sure you set 
packet_type = access-accept. Invoke the exec clause by placing it in 
post-proxy section. For example (assuming you've got the proxying working):

assign-vlan.sh:

  #!/bin/bash

  VLAN = "123"

  # We can also grab the RADIUS username attribute from the environment.
  # USER = $USER_NAME
  # This might be useful if you wanted to drop users
  # into different VLANs.
  # if ( $USER == "bujfxh at bristol.ac.uk ); then
  #  VLAN = "666"
  # fi

  echo "Tunnel-Medium-Type = 802"
  echo "Tunnel-Type = VLAN"
  echo "Tunnel-Private-Group-ID = $VLAN"

  exit 0

radiusd.conf:

  exec assign-vlan {
	program = "/path/to/assign-vlan.sh"
	input_pairs = proxy-reply
	output_pairs = proxy-reply
	wait = yes
	packet_type = Access-Accept
  }

  authorize {
	...
	# Make sure you put this AFTER the clause that invokes proxying
	assign-vlan
	...
  }

> Also, is there a way to return an access-accept with a 'dirty' VLAN ID, even
> if the IAS server rejects the user?  The idea being that the user would be
> put into a dead end VLAN so they could get info on how to register to use
> the service.

No; only a couple of attributes are permitted in Access-Reject packets.

I don't think it would be possible to "catch" Access-Rejects from IAS 
and cunningly turn them into Access-Accepts, either :-/ (well, it would 
be possible, but you'd need to hack FR to do this).

josh.

> Many thanks,
> Jezz Palmer.
> 
> ****************************************
> Jezz Palmer.
> Internet Systems Officer.
> Library and Information Services
> University of Wales, Swansea
> Singleton Park
> Swansea
> SA2 8PP
> ****************************************
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list