Dynamic VLAN and FreeRadius

Joel MBA OYONE mba_oyone at yahoo.fr
Thu May 22 19:26:23 CEST 2008 

Thank you Joe for your answer!

We all agree that assocation is made before authentication process, in order to RADIUS to be able to do its stuffs. but the fact is that it doesn't work, and i was wondering what would be the result if i set:
"Tunnel-Private-Group-ID = 100" (when the SSID were i am connected is assiged to VLAN 200, according to how my device work) .


I started to ask silly questions because it's true i don't understand nothing anymore with my config!
Basically, i have to use freeradius for authenticate wireless users, all connected on Access points managed by that switch!
i learnt freeradius stuffs and with the help of the guys here, i am now
able to setup it correctly!!!  Access point  authentication works well,
but  end-users authentication doing some EAP  fails but stay without no
response after the access-challenge!! (saying no correct login/password
find, or requiring client certificate, depending if i am doing tls or
peap). 
please note that it deons'nt tell me that my certificates are
incorrect, it is the reason why i started to think that the AP's don't
relay correctly the EAP negociation! (On XP client client are blocked
on "identity validation" then give up the authentication). As i am
newbie with 802.1x stuffs, i asked "silly" question to fix out my
doubts. it is not easy for me to do it in english!



- About the limitations of the device, i posted on d-link support a week ago and i am still waiting for the answer.

- about RADIUS assigning SSID... it was a silly question of me and the goal was just to be sure that RADIUS authentication events stay on the same SSID. just for confirmation, and now I KNOW.

- the reason of this confusion for me is what the documentation of dws-3024 says on page 205 and 206 as follow (some parts):

##############################################################
##############################################################
NOTE:
You can configure D-Link Access Points to use 802.1X authentication on the RADIUS server
to allow or deny specific users on client stations access to the wireless network. If you enable
802.1X authentication, the client entry on a RADIUS server can support user-based VLANs
and subnet assignments for IP tunneling. Table 80 shows the attributes to set for wireless
clients within the RADIUS server.

Table 80. RADIUS Attributes for Wireless Clients
    RADIUS Server                                 Description                     Range                               Usage
        Attribute
  User-Name (1)                                                                                1-32 characters             Required
  User-Password (2)                                                                          1-128 characters           Required
  Tunnel-Medium-Type (65)                                                                    802                         Optional
##############################################################

The following example shows the entry for a user in the users file. The username is
“johndoe,” the password is “test1234.” The user is assigned to VLAN 77.

johndoe Auth-Type: = EAP, User-Password == “test1234"
         Tunnel-Type = 13,
         Tunnel-Medium-Type = 6,
         Tunnel-Private-Group-ID = 77

Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private-
Group-ID is the selected VLAN ID and can be different for each user.
NOTE: Do not use the management VLAN ID of the AP for the value of the Tunnel-
        Private-Group-ID.
##############################################################
##############################################################


the documentation also says on page 201: (and i dont understand this step, even using a translator. explanation would be appreciated)
##############################################################
NOTE: 
This appendix does not describe RADIUS configuration for AP network
authentication using 802.1X. This feature is separate from a valid AP
configuration entry. The edge device that connects to the AP performs the
network authentication. The edge device might not be the D-Link Unified
Switch.
##############################################################


Any people interested in help could just read page 200 - 209 of this documents and give advices.
here is the link: ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf


thanks a lot!
Joel

--------------------------------------------------------------------------------------------------------------------
HI Joel,

    I think the issue here is that the D-Link AP's you have are rather 
limited.

Radius can not ever assign an SSID because that step occurs before the 
user authenticated.  Wireless starts with an association from the user 
to the AP's SSID from there the AP decides what needs to happen. 

Radius can affect VLAN's (generally at least in the Cisco world with 
'Tunnel-Private-Group-ID', like you meantioned) but you'll never be able 
to force a user to switch SSID's because that is client controlled.

AP's map VLAN's to SSID's internally some allow n to 1  and 1 to n 
relationships, others like your d-links only allow a direct mapping. 

Basically it sounds like you are limited by the constraints of you NAS.

Joe Vieira
UNIX Systems Administrator
Clark University

Joel MBA OYONE wrote:
> Alan,
>
> I possess a device from D-Link (DWS-3024). it is a wireless switch 
> controler, and the documentation says that:
>  - One SSID has to be affect to one VLAN on the profile.
>  - An Access point could be configured with up to 8 ifferent SSIDs and 
> it is possible to affect each SSID on its own network (below is a link 
> which show you the config page) or all SSID on the same network.  
> maybe i didn't read it correctly, so here is the link (see page 89-90 
> and maybe 91 too.): 
> ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf
>
> i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will 
> receive the same profile, and the profile will have 3 differents SSIDS 
> with diffrents security access levels and network from the wireless 
> switch.
>
> for example, in the same room, associated to the same AP, students and 
> teachers will connect to diffrent SSIDs coming from that same AP, and 
> some will have to athenticate via EAP-PEAP, other will require EAP-TLS.
>
> this other short file explain point to point what is my config and 
> waht i am trying to do:
> ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf
> read it and maybe you could understand me.
>
>
> regards
>
> Joel MBA OYONE wrote:
> >>  No.  VLAN assignment is after SSID association, and after 802.1x
> >> authentication.
> >
> > OK, is it possible to associate in SSID_1 and be assigned to a different
> > VLAN than the we are associated in ?
>
>   That doesn't make sense.  SSID's aren't tied to VLANs, unless you
> configure them that way.
>
> > (exemple, when i am associated to
> > SSID_1, which belongs to VLAN100,
>
>   No... SSID's have nothing to do with VLAN's.
>
> > RADIUS sends me
> > "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what
> > would happen and would authentication process success?)
>
>   Read your NAS documentation to see how to do VLAN assignment, and how
> it interacts with SSID's.
>
> > - if i am assigned to another couple of SSID/VLAN than the one i am
> > connected now by RADIUS, would authentication process restart at the
> > beginning?
>
>   Stop talking about "SSID/VLAN".  They are separate things.
>
>   When you do VLAN assignment with RADIUS, you do NOT need to
> re-authenticate.
>
> > - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of
> > 802.1x when RADIUS is the authentication Server for a supplicant?
>
>   What does that mean?
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> __________________________________________________
> Do You Yahoo!?
> En finir avec le spam? Yahoo! Mail vous offre la meilleure protection 
> possible contre les messages non sollicités
> http://mail.yahoo.fr Yahoo! Mail 
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités 
http://mail.yahoo.fr Yahoo! Mail 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080522/d0a46699/attachment.html>

More information about the Freeradius-Users mailing list