freeradius and cisco 3550 dynamic vlan assignment issue(authentication is working)

schilling schilling2006 at gmail.com
Wed Nov 7 17:56:08 CET 2007 

We read all dynamic vlan related posts in this mailing list archive,
but still can't get it to work even the authentication is working
good.

We are trying to get dynamic vlan assigmnet from freeradius version
.... with local user database using eap-ttls-pap. But client PC was
able to authenticator, but is not in the intented VLAN(dynamic vlan
assignment is not working).  Any suggestion is highly appreciated.

FreeRADIUS Version 1.1.7, for host i686-pc-linux-gnu

DEBUG INFO

TTLS: Got tunneled reply RADIUS code 2
        Service-Type = Framed-User
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = 802
        Tunnel-Private-Group-Id:0 = "552"
Wed Nov  7 11:48:33 2007 : Debug:   TTLS: Got tunneled Access-Accept
Wed Nov  7 11:48:33 2007 : Debug:   rlm_eap: Freeing handler
Wed Nov  7 11:48:33 2007 : Debug:   modsingle[authenticate]: returned
from eap (rlm_eap) for request 29
Wed Nov  7 11:48:33 2007 : Debug:   modcall[authenticate]: module "eap"
returns ok for request 29
Wed Nov  7 11:48:33 2007 : Debug: modcall: leaving group authenticate
(returns ok) for request 29
Sending Access-Accept of id 4 to 128.186.252.8 port 1645

USER FILE

userx   Cleartext-Password := "hello"
        Service-Type = Framed-User,
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = 802,
        Tunnel-Private-Group-ID = "552"






debug dot1x all in cisco showed that switching is successfully assign
vlan 0 the fa0/2(dot1x enabled port) after getting authenticated. We
are thinking this means vlan is not communicated between the
freeradius and switch, but we don't know why.


The test switch is cisco3550 running ios 12.2(35)SE. I have ( also
tried the configuration in freeradius wiki, the same result)
aaa new model
aaa authorization network default group radius
aaa authentication dot1x default group radius

and
dot1x system-auth-control

fa0/2 is my test port.

med-res-t#sh run
Building configuration...

Current configuration : 3450 bytes
!
! Last configuration change at 11:19:46 eastern Wed Nov 7 2007 by cisco
! NVRAM config last updated at 11:17:30 eastern Wed Nov 7 2007 by cisco
!
version 12.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname med-res-t
!
logging buffered 65536 debugging
no logging console
enable secret 5 *****
!
username cisco privilege 15 secret 5 *******
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
!
aaa session-id common
clock timezone eastern -5
ip subnet-zero
ip domain-name test.edu
!
ip ssh version 2
vtp mode transparent
!
!
!
!
!
dot1x system-auth-control
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 100,200
!
!
vlan 552
 name test-fwsm-lan
!
vlan 553
 name retricted-vlan
!
!
interface FastEthernet0/1
 switchport mode dynamic desirable
!
interface FastEthernet0/2
 switchport mode access
 dot1x pae authenticator
 dot1x port-control auto
 spanning-tree portfast
!

!
interface GigabitEthernet0/1
 switchport mode dynamic desirable
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 543,552
 switchport mode trunk
 switchport nonegotiate
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan552
 ip address 10.128.252.8 255.255.255.0
!
ip default-gateway 10.128.252.1
ip classless
ip http server
ip http secure-server
!
!
radius-server host 10.128.33.163 auth-port 1612 acct-port 1646 key 7
070C285F4D06
radius-server source-ports 1645-1646
!
control-plane
!
line con 0
line vty 5 15
!
ntp clock-period 17179941
ntp server 10.128.8.8
end

med-res-t#

More information about the Freeradius-Users mailing list