Freeradius and vlan assignment

Edvin Seferovic edvin.seferovic at kolp.at
Mon Mar 12 00:44:14 CET 2007


Hi,

please respond to freeradius mailing list....

I am not sure if you can use EAP to make a comparation.. but anyway you will
need two = ( == ) instead of one = ( = )...

Try setting 

test 	NAS-Port-Type == Ethernet
	Tunnel-Type += 13, 
	.........

Regards,

E:S

________________________________________
----------------------------------------
Hi,
 
I tried this but i never see anything about vlan in my freeradius log !! My
user stay in default VLAN !!!
 
Is my user's definition in the users file correct ? 
 
---------
 
test    Auth-Type = EAP
        Tunnel-Type += 13,
        Tunnel-Medium-Type += 6,
        Tunnel-Private-Group-Id += 2,
        Fall-Through += No
-------
 
Thanks....

Sending Access-Challenge of id 148 to 192.168.16.1:1645
        EAP-Message =
0x019500201900170301001594b0749a153a5db24986ad5b383747d599cefa165e
        Message-Authenticator = 0x00000000000000000000000000000000 
        State = 0xfaadc1f3fdcd54caba3eb520194cbda4
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=149,
length=172
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
       
        User-Name = "CSB\\test"
        Called-Station-Id = "00-17-5A-1B-28-B3"
        Calling-Station-Id = "00-04-75-85-8F-61" 
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0xfaadc1f3fdcd54caba3eb520194cbda4
        EAP-Message =
0x0295002419001703010019d71271328e83be4bb86e90cb9cf78a13f6e92985f71a24f71b 
        Message-Authenticator = 0x6534f60da4b6f525ae500bcdc1f1b683
rlm_eap_mschapv2: Issuing Challenge
Sending Access-Challenge of id 149 to 192.168.16.1:1645
        EAP-Message =
0x019600391900170301002e35934ed543adc3872069178f99dad4cef4ddb3891fae093be210
029063523c48015aeb6aa2e3d4eb17fd39890382 
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11
rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=150,
length=226
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
        NAS-Port-Type = Ethernet
        User-Name = "CSB\\test"
        Called-Station-Id = "00-17-5A-1B-28-B3" 
        Calling-Station-Id = "00-04-75-85-8F-61"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11
        EAP-Message =
0x0296005a1900170301004f8e53cc58384cebdce1096ef486e518b9efd644cb4029eb633ef3
f06b1682f03fed4152d8f5eac2bd535a02befb274d4a591c3e60910efcec65ba22d6d5c33c8a
50797ccfca8f0c7c57bc2287068b2d 
        Message-Authenticator = 0x416672a07b4421f704970f07db03e442
radius_xlat: Running registered xlat function of module mschap for string
'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for string
'User-Name' 
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=3e2e4fe28bd9b464
--nt-response=927de3350c738b570a464aeac694ca367884505006ceb2af 
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
Sending Access-Challenge of id 150 to 192.168.16.1:1645
        EAP-Message =
0x0197004a1900170301003fc00a2f7339369e45babdf23184b0f04fb295d015a9bd4316050d
a913d6538bf4329c8c46835179297980a5b669ce00e7b984fa8368858b6db4cea48759d7c1 
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7ef7f6d05a6f3d00427213ecb574faa2
rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=151,
length=165
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
        NAS-Port-Type = Ethernet
        User-Name = "CSB\\test"
        Called-Station-Id = "00-17-5A-1B-28-B3" 
        Calling-Station-Id = "00-04-75-85-8F-61"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x7ef7f6d05a6f3d00427213ecb574faa2
        EAP-Message =
0x0297001d190017030100128fca90d7480fc827988c01b59ca594725eda 
        Message-Authenticator = 0xf453065f5ccd452281e10cf4fcce3d8a
Trying to look up name of unknown client 127.0.0.1.
Login OK: [CSB\\test/<no User-Password attribute>] (from client
UNKNOWN-CLIENT port 0) 
Sending Access-Challenge of id 151 to 192.168.16.1:1645
        EAP-Message =
0x019800261900170301001b424c8e15103d6091ff787a4a81a9d7f36e071506fee1dd9365f8
27
        Message-Authenticator = 0x00000000000000000000000000000000 
        State = 0x00edbd8474f305a438e2129b69d8d833
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=152,
length=174
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
        NAS-Port-Type = Ethernet
        User-Name = "CSB\\test"
        Called-Station-Id = "00-17-5A-1B-28-B3"
        Calling-Station-Id = "00-04-75-85-8F-61" 
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x00edbd8474f305a438e2129b69d8d833
        EAP-Message =
0x029800261900170301001bae5f10c31db3214c9b97a5a5f8a4c027e3e599ea4820750c4376
4c 
        Message-Authenticator = 0x3b5bfbac96e06c7751c2c9405fd8bd0e
Login OK: [CSB\\test/<no User-Password attribute>] (from client 192.168.16.1
port 50147 cli 00-04-75-85-8F-61) 
Sending Access-Accept of id 152 to 192.168.16.1:1645
        MS-MPPE-Recv-Key =
0xa159f53b8ccddbfe198e451f9e34f4572525e4257bf0a2ef0d62f9b829de2405
        MS-MPPE-Send-Key =
0x57d9ef257640d9cf18b06cf26ddca8083e2484464499e2b9b74c8ac5ccd6a213 
        EAP-Message = 0x03980004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "CSB\\test"

 
2007/3/9, Bruno Mardirossian <b.mardirossian at gmail.com>: 
Thanks i will try this on Monday....

The rest of my configuration for the user "test" in the users file seem to
be correct ? 
2007/3/9, Edvin Seferovic < edvin.seferovic at kolp.at>: 
http://wiki.freeradius.org/Operators
 
Hint +=  <<<< for Tunnel-Type !
 
Regards,
 
E:S
 
________________________________________
From: freeradius-users-bounces+edvin.seferovic=kolp.at at lists.freeradius.org
[mailto:
freeradius-users-bounces+edvin.seferovic=kolp.at at lists.freeradius.org ] On
Behalf Of Bruno Mardirossian
Sent: Freitag, 09. März 2007 03:49 
To: freeradius-users at lists.freeradius.org 
Subject: Freeradius and vlan assignment
 
Hello! 
I am working on implementing freeradius with a cisco 3750 switch 
connected to freeradius , which then talks to AD.  (The linux box is on the 
AD domain)  
Anyway, we try to make vlan assignment by using the 'users' file .
We create a user named 'test' on my AD server , and we created this section
in the file users :
test    Auth-Type := MS-CHAP
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = 2
The user is correctly authenticated by AD , but he is put in the default
vlan ( id 1 ) and not in the vlan defined in the file 'users' ( id 2 ) . 
By the way, readind the radiusd output , i think that freeradius does not
read my users file...i didn't see int he log anything about the Tunnel-Type
or Tunnel-Private-Group-Id informations.... 
Anyone have any thoughts?  
Regards
Bruno
        
Message-Authenticator = 0xa309657e84ce8131d67aa64d9a491059
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6 
  modcall[authorize]: module "preprocess" returns ok for request 6 
  modcall[authorize]: module "chap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL" 
  modcall[authorize]: module "suffix" returns noop for request 6
    users: Matched entry DEFAULT at line 165 
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 6 
  rlm_eap: EAP packet type response id 6 length 90
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation 
  modcall[authorize]: module "eap" returns updated for request 6
  modcall[authorize]: module "mschap" returns noop for request 6 
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type MS-CHAP 
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test' 
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6 
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap 
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake 
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes. 
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Setting User-Name to CSB\test 
  PEAP: Adding old state with 86 79
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6 
  modcall[authorize]: module "preprocess" returns ok for request 6 
  modcall[authorize]: module "chap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL 
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
    users: Matched entry DEFAULT at line 165 
  modcall[authorize]: module "files" returns ok for request 6 
  rlm_eap: EAP packet type response id 6 length 67
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6 
  modcall[authorize]: module "mschap" returns noop for request 6 
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP 
Warning:  Found 2 auth-types on request for user 'CSB\test' 
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list 
  rlm_eap: EAP/mschapv2 
  rlm_eap: processing type mschapv2
  Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
  rlm_mschap: No User-Password configured.  Cannot create LM-Password. 
  rlm_mschap: No User-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'NT-Domain' 
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
 mschap2: 9a
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response' 
radius_xlat:  '/usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=0529c10bac22a3fa
--nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=0529c10bac22a3fa
--nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456 
Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
  modcall[authenticate]: module "mschap" returns ok for request 6 
modcall: group Auth-Type returns ok for request 6
MSCHAP Success
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
  PEAP: Got tunneled Access-Challenge 
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 138 to 192.168.16.1:1645 
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User 
        EAP-Message =
0x0107004a1900170301003f58b6111cc333922058a5d79f63641e19ae7154e3504573da9834
6c88f080fe8ee04ad4b50f3cdc52fd02e8909b9f8f9a439730b7cee4654c18135432e651e7 
        Message-Authenticator = 0x00000000000000000000000000000000 
        State = 0x1f45be689bd5bd8a6d8ace2af886bb6c
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=139,
length=165
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
        NAS-Port-Type = Ethernet 
        User-Name = "CSB\\test" 
        Called-Station-Id = "00-17-5A-1B-28-B3"
        Calling-Station-Id = "00-04-75-85-8F-61"
        Service-Type = Framed-User
        Framed-MTU = 1500 
        State = 0x1f45be689bd5bd8a6d8ace2af886bb6c 
        EAP-Message =
0x0207001d19001703010012b8f868205426ef722e2433e5defa62455113
        Message-Authenticator = 0x2e5a0be42b038b2404f5c93ea27d5387
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7 
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL" 
  modcall[authorize]: module "suffix" returns noop for request 7
    users: Matched entry DEFAULT at line 165 
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 7 
  rlm_eap: EAP packet type response id 7 length 29
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation 
  modcall[authorize]: module "eap" returns updated for request 7
  modcall[authorize]: module "mschap" returns noop for request 7 
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type MS-CHAP 
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test' 
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7 
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake 
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK 
  rlm_eap_peap: Session established.  Decoding tunneled attributes.
  rlm_eap_peap: EAP type mschapv2
  rlm_eap_peap: Tunneled data is valid.
  PEAP: Setting User-Name to CSB\test 
  PEAP: Adding old state with a8 0f 
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7 
  modcall[authorize]: module "chap" returns noop for request 7 
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL" 
  modcall[authorize]: module "suffix" returns noop for request 7
    users: Matched entry DEFAULT at line 165
  modcall[authorize]: module "files" returns ok for request 7
  rlm_eap: EAP packet type response id 7 length 6 
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
  modcall[authorize]: module "mschap" returns noop for request 7 
modcall: group authorize returns updated for request 7
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test' 
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 7
modcall: group authenticate returns ok for request 7
Trying to look up name of unknown client 127.0.0.1.
Login OK: [CSB\\test/<no User-Password attribute>] (from client
UNKNOWN-CLIENT port 0)
  PEAP: Tunneled authentication was successful. 
  rlm_eap_peap: SUCCESS
  modcall[authenticate]: module "eap" returns handled for request 7 
modcall: group authenticate returns handled for request 7
Sending Access-Challenge of id 139 to 192.168.16.1:1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User 
        EAP-Message =
0x010800261900170301001b8d03a63c700234ed33060b7b6b9274d27b9e872a002e885ab9eb
f3
        Message-Authenticator = 0x00000000000000000000000000000000 
        State = 0x5a28f8fd3d7fde4a88411d022625e022 
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=140,
length=174
        NAS-IP-Address = 192.168.16.1
        NAS-Port = 50147
        NAS-Port-Type = Ethernet
        User-Name = "CSB\\test"
        Called-Station-Id = "00-17-5A-1B-28-B3" 
        Calling-Station-Id = "00-04-75-85-8F-61"
        Service-Type = Framed-User 
        Framed-MTU = 1500
        State = 0x5a28f8fd3d7fde4a88411d022625e022
        EAP-Message =
0x020800261900170301001b44c1c9880e33cd6e472ba624ff53ee4f53e1588d0da394c02c05
22 
        Message-Authenticator = 0x50fd41edb7beeee318cfd915201602f4 
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
  modcall[authorize]: module "preprocess" returns ok for request 8 
  modcall[authorize]: module "chap" returns noop for request 8 
    rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
    rlm_realm: No such realm "NULL" 
  modcall[authorize]: module "suffix" returns noop for request 8
    users: Matched entry DEFAULT at line 165
    users: Matched entry DEFAULT at line 184
  modcall[authorize]: module "files" returns ok for request 8 
  rlm_eap: EAP packet type response id 8 length 38
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 8
  modcall[authorize]: module "mschap" returns noop for request 8 
modcall: group authorize returns updated for request 8
  rad_check_password:  Found Auth-Type MS-CHAP
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'CSB\test' 
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap 
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_peap: EAPTLS_OK
  rlm_eap_peap: Session established.  Decoding tunneled attributes. 
  rlm_eap_peap: Received EAP-TLV response.
  rlm_eap_peap: Tunneled data is valid.
  rlm_eap_peap: Success
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 8 
modcall: group authenticate returns ok for request 8
Login OK: [CSB\\test/<no User-Password attribute>] (from client reseau16
port 50147 cli 00-04-75-85-8F-61)
Sending Access-Accept of id 140 to 192.168.16.1:1645
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User 
        MS-MPPE-Recv-Key =
0xf1a6b62d3814b8fc8f3ac5601a89ddacc1c47c4387e21b35fe33bdbffaf15486 
        MS-MPPE-Send-Key =
0x1ba3df6508e8c7f03112980ae8e1255bfec5c05ab397c927a9b56be7335714fd
        EAP-Message = 0x03080004 
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "CSB\\test" 
Finished request 8
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list --- 
Cleaning up request 0 ID 132 with timestamp 45f0c882
Cleaning up request 1 ID 133 with timestamp 45f0c882 
Cleaning up request 2 ID 134 with timestamp 45f0c882
Cleaning up request 3 ID 135 with timestamp 45f0c882 
Cleaning up request 4 ID 136 with timestamp 45f0c882
Cleaning up request 5 ID 137 with timestamp 45f0c882 
Cleaning up request 6 ID 138 with timestamp 45f0c882
Cleaning up request 7 ID 139 with timestamp 45f0c882 
Cleaning up request 8 ID 140 with timestamp 45f0c882
Nothing to do.  Sleeping until we see a request.
 

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html







More information about the Freeradius-Users mailing list