Help needed with freeradius, solaris and trapeze

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Apr 29 12:29:35 CEST 2008 

Guy Davies wrote:
> 2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>:
>   
>> Alan DeKok wrote:
>>
>>     
>>> Guy Davies wrote:
>>>
>>>       
>
> [..snip..]
>
>   
>>>> You need to tell us which EAP method you plan to use.  If you are
>>>> using local users, you can take your pick from EAP-TTLS/PAP or
>>>> PEAP/MS-CHAPv2.  If you use the former, you can have the passwords
>>>> encrypted in the users file.  If you use the latter, the passwords
>>>> must be in clear text.
>>>>
>>>>
>>>>
>>>>         
>>  Unless your using PEAP offload in which case you just need to list the
>> mschap module, and have the user password available in cleartext or as an nt
>> / lm hash... but don't use PEAP offload. Terminate the EAP tunnel in FR, it
>> generally works better and is far simpler.
>>     
>
> Agreed.  PEAP offload was OK if you had a crappy backend RADIUS server
> that didn't support EAP very well (or at all), but with a FR backend,
> you're better off just passing your EAP straight through.
>
> [..snip..]
>
>   
>>>> Trapeze uses some VSAs to specify which VLAN a user should be
>>>> connected to, what time-of-day they can connect, etc.
>>>>
>>>>         
>>  Hmm, no. Trapeze use the standard VLAN assignment attributes just like any
>> other Vendor. You may be able to use the VSAs to do fancy stuff but :
>>
>>  Tunnel-Type = VLAN,
>>  Tunnel-Medium-Type = IEEE-802,
>>  Tunnel-Private-Group-ID = <VID>
>>     
>
> Then that's definitely changed since I used to use Trapeze when it was
> first brought to market.  I started with a pre-FCS version ;-)  They
> used to have VSAs for Trapeze-VLAN-Name that was quite nice if  you
> had different default VLAN numbers in different buildings in the
> campus.  You could name all the default VLANs the same but give the
> VLANs different IDs in the different MXes.  Using the
> Tunnel-Private-Group-ID means you have to have a consistent VLAN ID
> for a particular user group across a campus.
>   
Yes, which is neat. They also support local VLAN switching on the higher 
end units, not sure if that's new. I've put in a feature request for VTP 
& GVRP, but I don't know if they'll be implemented.

>   
>>  Works just the same.
>>
>>     
>>>>  Just look in
>>>> dictionary.trapeze and you'll see the options.  The Trapeze
>>>> documentation was always pretty good at explaining the purpose and
>>>> format of those VSAs.  You *MUST* include a VLAN-Name VSA when
>>>> responding to a Trapeze unit or it won't connect you to the correct
>>>> VLAN.
>>>>
>>>>
>>>>         
>>  I have a MXR-2 sitting on my desk that says otherwise. You can set a
>> default VLAN for each wireless service profile....
>>     
>
> Doesn't that just pickup users that fail to attempt 802.1x
> authentication?  Again, it's been a while since I last used Trapeze
> kit so things may have changed significantly since then.
>
>   
The fall-through stuff doesn't work too well, and it's dealt with in a 
different manor now as well; regarding VLANS You can set a default VLAN 
for an SSID, and choose to override it with an assignment from the 
server, or set a default VLAN and keep it no matter what the server 
assignment.
>>>  Ah, yes.  *That* vendor.
>>>
>>>
>>>
>>>       
>>  I happen to quite like that vendor and wish people would stop spreading
>> misinformation, especially if they haven't used the kit for a few years
>> *hmpf*.
>>     
>
> I also very much liked that vendor and had no intention of spreading
> misinformation.  I very specifically stated that it had been a while
> since I used the kit so that people would take my information in
> context.  I object to being accused of spreading misinformation
> intentionally.  I am not frequently active on this list but I do try
> to give valid information.  If it's wrong, then I'll hold my hand up
> but berating people for trying will just make people stop giving
> advice altogether.
>
>   
Sorry, I tend to be more 'bitey' when sleepy/ just awaking from sleep. I 
know you weren't intentionally spreading misinformation... it just 
happens when you haven't used something in a number of years. It appears 
there's a fair amount of 'voodoo' surrounding trapeze and external 
RADIUS server configuration just trying to keep it to a minimum.

Arran
> Guy
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list