VLAN Mapping with MS-CHAP
Phil Mayers
p.mayers at imperial.ac.uk
Fri May 5 11:46:54 CEST 2006
robiwan at arcor.de wrote:
> Dear all,
> I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst 3750 Switch, depending on their Account.
> And i use two differnt authentication methods: MD5-Challange and MS-CHAP.
>
> User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange
> User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via MS-CHAP
>
> Now both authentication works (thanks to all again) but i have difficulties to map user roka in his right VLAN.
>
> Here is my users file:
> -----------------------snip------------------------
>
> hugo User-Password == "hugo01"
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = 50
>
> roka Auth-Type := MS-CHAP
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = 6,
> Tunnel-Private-Group-ID = 40
Do NOT set Auth-Type. If your server is properly configured, it is not
needed and can cause problems. In this case, it should not be causing
the problem.
Just to check - that's the ENTIRE users file, yes?
>
> ---------------------snap--------------------------
>
> Here is the output of my radiusd with user hugo
> The Cisco-Switch map user hugo in VLAN 50:
>
> Login OK: [hugo/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-5D-84-AE-CA)
> Sending Access-Accept of id 210 to 10.187.0.15 port 1645
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "50"
> EAP-Message = 0x03010004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "hugo"
> Finished request 1
> Going to the next request
>
>
> Here is the output with user roka
> The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the Tunnel informations:
>
> Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client M4DEMRCO0000015 port 50103 cli 00-0B-AA-84-AE-CA)
> Sending Access-Accept of id 220 to 10.187.0.15 port 1645
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> MS-MPPE-Recv-Key = 0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2
> MS-MPPE-Send-Key = 0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d
> EAP-Message = 0x03090004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "WINLAB\\roka"
> Finished request 9
> Going to the next request
This is not helpful. Send the full debugging output prior to this, so we
can see what modules matched. If you're going to trim, start from the
point the radius server is idling, not the very last packet.
In all probability, your problem is that you're using PEAP rather than
just MS-CHAP, and the tunnel attributes are being set on the inner
MS-CHAP reply, but not being copied to the outer EAP reply.
Make sure you have this in eap.conf:
eap {
# rest of config, then
peap {
# rest of config, then
use_tunneled_reply = yes
}
}
You may also need:
eap {
# rest of config, then
peap {
# rest of config, then
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
...if you want to match on other attributes in the request than username
at a later date.
>
>
> So, any ideas what to do, that for user roka my radiusd also say to my Switch the Tunnel things:
>
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "40"
>
That's expected and normal. See RFC 2868. The number is a tag, as you
can specify multiple tunnel-* attribute set. The tag groups them
together, and FreeRadius sets it to zero for the common case of one set.
More information about the Freeradius-Users
mailing list