VLAN and SSID

Antonio Matera antonio.matera at create-net.it
Wed Mar 29 16:57:56 CEST 2006 

Hallo,
now I have the users configured as follow:

user1    Auth-Type := EAP
            Cisco-AVPair := "ssid=SSID1",
            Tunnel-Medium-Type = IEEE-802,
            Tunnel-Private-Group-Id = 2,
            Tunnel-Type = VLAN

user2    Auth-Type := EAP
            Cisco-AVPair := "ssid=SSID2",
            Tunnel-Medium-Type = IEEE-802,
            Tunnel-Private-Group-Id = 3,
            Tunnel-Type = VLAN


The AP has the radius-server vsa send authentication, but when I connect 
for example to the SSID2 using user1, radius write this log for a big 
number of request:


rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167, 
length=137
        User-Name = "user1"
        Framed-MTU = 1400
        Called-Station-Id = "xxxx.xxxx.xxxx"
        Calling-Station-Id = "xxxx.xxxx.xxxx"
        Service-Type = Login-User
        Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746
        EAP-Message = 0x020600060d00
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1215
        State = 0x15f928ed12d8d4d1a278530b6dd26c21
        NAS-IP-Address = 192.168.9.104
        NAS-Identifier = "ap"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 53
  modcall[authorize]: module "preprocess" returns ok for request 53
  modcall[authorize]: module "mschap" returns noop for request 53
    rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 53
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 53
    users: Matched entry user1 at line 14
  modcall[authorize]: module "files" returns ok for request 53
modcall: leaving group authorize (returns updated) for request 53
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 53
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake is finished
  eaptls_verify returned 3
  eaptls_process returned 3
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 53
modcall: leaving group authenticate (returns ok) for request 53
Login OK: [user1/<no User-Password attribute>] (from client ap-test port 
1215 cli 000c.f135.f1ba)
Sending Access-Accept of id 167 to 192.168.9.104 port 1645
        Cisco-AVPair := "ssid=SSID1"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "2"
        Tunnel-Type:0 = VLAN
        MS-MPPE-Recv-Key = 
0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011
        MS-MPPE-Send-Key = 
0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "user1"
Finished request 53



The XP client tell that the SSID2 is connected, but if I try to navigate 
on the VLAN1 or VLAN2 i can't do it.

Why the radius receive a big number of request from the client and it 
doesn't sent a failed authorization? It is possible to eliminate the 
requests after the first?
It is possible to send to the XP client a failed authorization? At the 
moment the client doesn't understand  if it is or isn't connected to the 
SSID.



Thanks a lot for your time
Bye Antonio

More information about the Freeradius-Users mailing list