howto EAP-TLS on freeradius 2.0.2-3 ??

Alan DeKok aland at deployingradius.com
Mon May 5 19:18:10 CEST 2008 

Joel MBA OYONE wrote:
...
> The VLAN attributes defined in RFC3580 are as follows:
> •   Tunnel-Type=VLAN (13)
> •   Tunnel-Medium-Type=802
> •   Tunnel-Private-Group-ID=VLANID
> 
> NOTE: The FreeRADIUS dictionary maps the 802 string value to the integer 6, which
>         is why client entries use 6 for the Tunnel-Medium-Type value.

  No.  For Tunnel-Medium-Type, "802" is a *name*, not a *number*.    See
Section 3.2 of RFC 2868:

...
   Value
      The Value field is three octets and contains one of the values
      listed under "Address Family Numbers" in [14].  For the sake of
      convenience, a relevant excerpt of this list is reproduced below.

   1      IPv4 (IP version 4)
   2      IPv6 (IP version 6)
   3      NSAP
   4      HDLC (8-bit multidrop)
   5      BBN 1822
   6      802 (includes all 802 media plus Ethernet "canonical format")
...

  FreeRADIUS gets it *right*.  Many NAS vendors get it *wrong*.

> To create a user and assign the user to a particular VLAN by using FreeRADIUS, open the
> etc/raddb/users file, which contains the user account information, and add for the new user.
> The following example shows the entry for a user in the users file. The username is
> “johndoe,” the password is “test1234.” The user is assigned to VLAN 77.
> 
> johndoe Auth-Type: = EAP, User-Password == “test1234"
>           Tunnel-Type = 13,
>           Tunnel-Medium-Type = 6,

  Or:  Tunnel-Medium-Type = IEEE-802
....
> 
> in both cases, it stays on "IDENTITY VALIDATION" in xp wireless management and sometime i receive the right ip adresss in the right IP Pool. ut lost it immediately, maybe cause of the repeating cycle of athentication sequence.
> AND, the client certificate, signed by the Server (not the CA root) is still with the same message.
> 
> 
> hope it would be helpfull !!

  Arg.  Microsoft keeps putting magic nonsense into their OS's to make
it difficult to use non-Microsoft RADIUS servers.

  And yes, this *is* a problem even inside of Microsoft!  So if you're
finding it a PITA to get it working, rest assured that Microsoft does, too.

  Alan DeKok.

More information about the Freeradius-Users mailing list