VLAN and SSID
Guy Davies
aguydavies at gmail.com
Wed Mar 29 17:06:24 CEST 2006
Hi Antonio,
If you're using the Cisco-AVPair as a check item, it *must* be on the
first line of the user entry. e.g.
user1 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1"
... reply items here, one per line...
If you want to configure it as a reply item, it should be...
Cisco-AVPair = "ssid=SSID1"
NOTE: =, not := for the reply item.
Rgds,
Guy
On 29/03/06, Antonio Matera <antonio.matera at create-net.it> wrote:
> Hallo,
> now I have the users configured as follow:
>
> user1 Auth-Type := EAP
> Cisco-AVPair := "ssid=SSID1",
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 2,
> Tunnel-Type = VLAN
>
> user2 Auth-Type := EAP
> Cisco-AVPair := "ssid=SSID2",
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 3,
> Tunnel-Type = VLAN
>
>
> The AP has the radius-server vsa send authentication, but when I connect
> for example to the SSID2 using user1, radius write this log for a big
> number of request:
>
>
> rad_recv: Access-Request packet from host 192.168.9.104:1645, id=167,
> length=137
> User-Name = "user1"
> Framed-MTU = 1400
> Called-Station-Id = "xxxx.xxxx.xxxx"
> Calling-Station-Id = "xxxx.xxxx.xxxx"
> Service-Type = Login-User
> Message-Authenticator = 0xd58071e7b7c3b158323ae6e2da5cf746
> EAP-Message = 0x020600060d00
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1215
> State = 0x15f928ed12d8d4d1a278530b6dd26c21
> NAS-IP-Address = 192.168.9.104
> NAS-Identifier = "ap"
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 53
> modcall[authorize]: module "preprocess" returns ok for request 53
> modcall[authorize]: module "mschap" returns noop for request 53
> rlm_realm: No '@' in User-Name = "user1", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 53
> rlm_eap: EAP packet type response id 6 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 53
> users: Matched entry user1 at line 14
> modcall[authorize]: module "files" returns ok for request 53
> modcall: leaving group authorize (returns updated) for request 53
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 53
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake is finished
> eaptls_verify returned 3
> eaptls_process returned 3
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns ok for request 53
> modcall: leaving group authenticate (returns ok) for request 53
> Login OK: [user1/<no User-Password attribute>] (from client ap-test port
> 1215 cli 000c.f135.f1ba)
> Sending Access-Accept of id 167 to 192.168.9.104 port 1645
> Cisco-AVPair := "ssid=SSID1"
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "2"
> Tunnel-Type:0 = VLAN
> MS-MPPE-Recv-Key =
> 0x4b79e8c8d51a317ecfc389ae1109e9cbf4fed548b081a3d9a207cb1673fb2011
> MS-MPPE-Send-Key =
> 0x00c78f66a7706dbc37c2ef3a9cf1f4f183b28d840da50d583ae780041fe1f1d9
> EAP-Message = 0x03060004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "user1"
> Finished request 53
>
>
>
> The XP client tell that the SSID2 is connected, but if I try to navigate
> on the VLAN1 or VLAN2 i can't do it.
>
> Why the radius receive a big number of request from the client and it
> doesn't sent a failed authorization? It is possible to eliminate the
> requests after the first?
> It is possible to send to the XP client a failed authorization? At the
> moment the client doesn't understand if it is or isn't connected to the
> SSID.
>
>
>
> Thanks a lot for your time
> Bye Antonio
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list