Help needed with freeradius, solaris and trapeze

Guy Davies aguydavies at gmail.com
Tue Apr 29 11:22:01 CEST 2008


2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>:
> Alan DeKok wrote:
>
> > Guy Davies wrote:
> >

[..snip..]

> > > You need to tell us which EAP method you plan to use.  If you are
> > > using local users, you can take your pick from EAP-TTLS/PAP or
> > > PEAP/MS-CHAPv2.  If you use the former, you can have the passwords
> > > encrypted in the users file.  If you use the latter, the passwords
> > > must be in clear text.
> > >
> > >
> > >
> >
>  Unless your using PEAP offload in which case you just need to list the
> mschap module, and have the user password available in cleartext or as an nt
> / lm hash... but don't use PEAP offload. Terminate the EAP tunnel in FR, it
> generally works better and is far simpler.

Agreed.  PEAP offload was OK if you had a crappy backend RADIUS server
that didn't support EAP very well (or at all), but with a FR backend,
you're better off just passing your EAP straight through.

[..snip..]

> > > Trapeze uses some VSAs to specify which VLAN a user should be
> > > connected to, what time-of-day they can connect, etc.
> > >
> >
>  Hmm, no. Trapeze use the standard VLAN assignment attributes just like any
> other Vendor. You may be able to use the VSAs to do fancy stuff but :
>
>  Tunnel-Type = VLAN,
>  Tunnel-Medium-Type = IEEE-802,
>  Tunnel-Private-Group-ID = <VID>

Then that's definitely changed since I used to use Trapeze when it was
first brought to market.  I started with a pre-FCS version ;-)  They
used to have VSAs for Trapeze-VLAN-Name that was quite nice if  you
had different default VLAN numbers in different buildings in the
campus.  You could name all the default VLANs the same but give the
VLANs different IDs in the different MXes.  Using the
Tunnel-Private-Group-ID means you have to have a consistent VLAN ID
for a particular user group across a campus.

>
>  Works just the same.
>
> > >  Just look in
> > > dictionary.trapeze and you'll see the options.  The Trapeze
> > > documentation was always pretty good at explaining the purpose and
> > > format of those VSAs.  You *MUST* include a VLAN-Name VSA when
> > > responding to a Trapeze unit or it won't connect you to the correct
> > > VLAN.
> > >
> > >
> >
>  I have a MXR-2 sitting on my desk that says otherwise. You can set a
> default VLAN for each wireless service profile....

Doesn't that just pickup users that fail to attempt 802.1x
authentication?  Again, it's been a while since I last used Trapeze
kit so things may have changed significantly since then.

>
> >  Ah, yes.  *That* vendor.
> >
> >
> >
>  I happen to quite like that vendor and wish people would stop spreading
> misinformation, especially if they haven't used the kit for a few years
> *hmpf*.

I also very much liked that vendor and had no intention of spreading
misinformation.  I very specifically stated that it had been a while
since I used the kit so that people would take my information in
context.  I object to being accused of spreading misinformation
intentionally.  I am not frequently active on this list but I do try
to give valid information.  If it's wrong, then I'll hold my hand up
but berating people for trying will just make people stop giving
advice altogether.

Guy



More information about the Freeradius-Users mailing list