Using the outer envelope attributes in an EAP-TTLS request?

Marcus Packard Marcus.Packard at
Tue Feb 12 02:41:35 CET 2008


I am currently configuring a Cisco WiSM blade (software version and a FreeRadius Server (Version 1.1.3, for host 
i686-redhat-linux-gnu, built on Apr 25 2007) for EAP-TTLS

I’ve have gotten VLAN override to work on the WiSM (no problem there). 
However, what I am trying to do now is let a user choose between two 
SSIDs, where one SSID supports VLAN overriding and one does not.

The problem I am having is that the WISM appears to sends all the Radius 
attributes like Tunnel-Private-Group-Id in the initial anonymous request 
to the radius server. See below:

rad_recv: Access-Request packet from host, id=86, 
User-Name = "anonymous"
Calling-Station-Id = "00-13-CE-1A-9F-5D"
Called-Station-Id = "00-1D-45-A6-02-10:ISD"
NAS-Port = 29
NAS-IP-Address =
NAS-Identifier = "Cisco_d4:2c:6b"
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "251"
EAP-Message = 0x0211000e01616e6f6e796d6f7573
Message-Authenticator = 0x7ad2cce223c93cf13030c0da463232e5

However they are not included in the TTLS tunnel data see below:

TTLS tunnel data in 0020: 6b 65 00 00
TTLS: Got tunneled request
User-Name = "xxxxx"
User-Password = "xxxxxxxx"
FreeRADIUS-Proxied-To =
TTLS: Sending tunneled request
User-Name = "xxxxx"
User-Password = "xxxxxxxxx"
FreeRADIUS-Proxied-To =

I don’t know how (or if it is possible) to combine the outer envelope 
data with the tunnel data in a FreeRadius stanza. (At least it hasn’t 
worked the various ways I have tried). FreeRadius appears (to me) to 
just be using the tunnel data.

I would like to do something (in FreeRadius) like:

DEFAULT AUTH-TYPE := LDAP, Ldap-Group == isd, Airespace-Wlan-Id == 5
Fall-Through = No


DEFAULT AUTH-TYPE := LDAP, Tunnel-Private-Group-ID:0 == "251", 
Ldap-Group == isd
Fall-Through = No

The LDAP group attributes are being looked up properly in the previous 
stanzas but the outer envelope data appears not to be used.
Any suggestions on how I can incorporate both? (Note i've tried both 
Tunnel-Private-Group-ID:0 and Tunnel-Private-Group-ID)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: Marcus.Packard.vcf
Type: text/x-vcard
Size: 271 bytes
Desc: not available
URL: <>

More information about the Freeradius-Users mailing list