Using the outer envelope attributes in an EAP-TTLS request?
Marcus Packard
Marcus.Packard at flinders.edu.au
Tue Feb 12 02:41:35 CET 2008
Hi,
I am currently configuring a Cisco WiSM blade (software version
4.1.185.0) and a FreeRadius Server (Version 1.1.3, for host
i686-redhat-linux-gnu, built on Apr 25 2007) for EAP-TTLS
I’ve have gotten VLAN override to work on the WiSM (no problem there).
However, what I am trying to do now is let a user choose between two
SSIDs, where one SSID supports VLAN overriding and one does not.
The problem I am having is that the WISM appears to sends all the Radius
attributes like Tunnel-Private-Group-Id in the initial anonymous request
to the radius server. See below:
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:32769, id=86,
length=182
User-Name = "anonymous"
Calling-Station-Id = "00-13-CE-1A-9F-5D"
Called-Station-Id = "00-1D-45-A6-02-10:ISD"
NAS-Port = 29
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Identifier = "Cisco_d4:2c:6b"
Airespace-Wlan-Id = 5
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "251"
EAP-Message = 0x0211000e01616e6f6e796d6f7573
Message-Authenticator = 0x7ad2cce223c93cf13030c0da463232e5
However they are not included in the TTLS tunnel data see below:
TTLS tunnel data in 0020: 6b 65 00 00
TTLS: Got tunneled request
User-Name = "xxxxx"
User-Password = "xxxxxxxx"
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Sending tunneled request
User-Name = "xxxxx"
User-Password = "xxxxxxxxx"
FreeRADIUS-Proxied-To = 127.0.0.1
I don’t know how (or if it is possible) to combine the outer envelope
data with the tunnel data in a FreeRadius stanza. (At least it hasn’t
worked the various ways I have tried). FreeRadius appears (to me) to
just be using the tunnel data.
I would like to do something (in FreeRadius) like:
DEFAULT AUTH-TYPE := LDAP, Ldap-Group == isd, Airespace-Wlan-Id == 5
Fall-Through = No
or
DEFAULT AUTH-TYPE := LDAP, Tunnel-Private-Group-ID:0 == "251",
Ldap-Group == isd
Fall-Through = No
The LDAP group attributes are being looked up properly in the previous
stanzas but the outer envelope data appears not to be used.
Any suggestions on how I can incorporate both? (Note i've tried both
Tunnel-Private-Group-ID:0 and Tunnel-Private-Group-ID)
Thanks,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Marcus.Packard.vcf
Type: text/x-vcard
Size: 271 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080212/5bd3ee6d/attachment.vcf>
More information about the Freeradius-Users
mailing list