Problem with Cisco-AVPair
Antonio Matera
antonio.matera at create-net.it
Fri Apr 7 09:18:46 CEST 2006
Hallo, sorry I had a bad configuration of my email client.
I re-write my problem:
I want to authenticate my users with different SSID on different VLAN.
My objective is to authenticate an user only on a select SSID.
With the wrong SSID the user shouldn't connect...
I use PEAP-MS-CHAPv2 and the user is set as following:
vlan3 Cisco-AVPair == "ssid=VLAN3", User-Password == "test"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Type = VLAN
If I insert the check == in the Cisco-AVPair attribute, I have this log:
rad_recv: Access-Request packet from host 192.168.9.104:1645, id=21,
length=240
User-Name = "vlan3"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=VLAN3"
Service-Type = Login-User
Message-Authenticator = 0x57cbe83313e35c36a3878a5151361c44
EAP-Message =
0x020900501900170301002029a86e41268c925e584b0924c058e045487523e0b2181541f520fe517e5fa67c1703010020ebe4e512af90e916f41fc666e138157bd279a6ed7f1ab44243f67e72d18ce012
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "260"
NAS-Port = 260
State = 0xbb09e1038e24af4dc9f4002adb7d6b0a
NAS-IP-Address = 192.168.9.104
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_realm: No '@' in User-Name = "vlan3", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
rlm_eap: EAP packet type response id 9 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry vlan3 at line 24
modcall[authorize]: module "files" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Had sent TLV failure. User was rejcted rejected
earlier in this session.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 8
modcall: leaving group authenticate (returns invalid) for request 8
auth: Failed to validate the user.
Login incorrect: [vlan3/<no User-Password attribute>] (from client
ap-test port 260 cli 000c.f135.f1ba)
Delaying request 8 for 1 seconds
Finished request 8
The radius don't authenticate my user, but the SSID is correct!
If I insert the check := in the Cisco-AVPair attribute, my user is
authenticate on all my SSID....
I missed something in my configuration?
Thanks a lot for your support...
Antonio
on 06/04/2006 23.05 Kevin Bonner said the following:
> On Thursday 06 April 2006 08:24, Antonio Matera wrote:
>> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
>
> Please stop using HTML when posting your messages. You just might get a few
> more useful responses from people who don't bother to read html-only
> messages.
>
> Kevin Bonner
>
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
More information about the Freeradius-Users
mailing list