Cisco Aironet 1130ag dynamic VLAN assignment
William Graeber
swilly at swilly.tk
Sat Jan 24 23:45:58 CET 2009
Tom was correct, and I have changed the Tunnel-Medium-Type to "6". The
corresponding radtest output shows it is correctly translated to
"IEEE-802". However, I am still not bumped into the correct VLAN. In
the Cisco debug logs, I see these lines:
*Mar 1 00:09:30.630: AAA/ATTR(00000000): add attr: 0125E6C0 0
00000001 tunnel-medium-type(336) 4 ALL_802
*Mar 1 00:09:30.630: AAA/ATTR(00000000): add attr: 0125E6D4 0
00000001 tunnel-type(344) 4 VLAN
*Mar 1 00:09:30.630: AAA/ATTR(00000000): add attr: 0125E6E8 0
00000009 tunnel-private-group-id(297) 3 100
*Mar 1 00:09:30.634: AAA/ATTR(0000000B): del attr: 0125E6C0 0
00000001 tunnel-medium-type(336) 4 ALL_802
*Mar 1 00:09:30.634: AAA/ATTR(0000000B): del attr: 0125E6D4 0
00000001 tunnel-type(344) 4 VLAN
*Mar 1 00:09:30.634: AAA/ATTR(0000000B): del attr: 0125E6E8 0
00000009 tunnel-private-group-id(297) 3 100
The full log may be viewed at: http://dpaste.com/112610/
Also, I have posted my eap.conf here: http://dpaste.com/112615/
and radius.conf here: http://dpaste.com/112616/
and I don't think anyone would need it, but here is clients.conf as
well: http://dpaste.com/112618/
I am using FreeRADIUS version 2.0.5 on OpenBSD 4.4. I'm sure that
there is something simple that I am missing, but I'm new to both the
RADIUS protocol and Cisco access points. I luckily was able to score
several 1130ag's cheap for personal use during an auction from the
presidential campaign.
Thanks again,
William
On Fri, Jan 23, 2009 at 11:30, <tnt at kalik.net> wrote:
>>I have been having trouble recently with getting dynamic VLAN
>>assignment working on my Cisco AP. Clients are successfully
>>authenticating with FreeRADIUS. However, they do not seem to be
>>picking up extra attributes from the "users" file (below is the
>>relevant portion of it).
>>
>>wgraeber NT-Password := "XXX"
>> Tunnel-Type = VLAN,
>> Tunnel-Medium-Type = 802,
>> Tunnel-Private-Group-ID = 100
>>
>>The users are just directed to their original VLAN instead of this
>>portion overriding it. When I try to authenticate to the access point
>>with "radtest," I get the following output:
>>
>># radtest wgraeber XXX 127.0.0.1 10 XXX
>>Sending Access-Request of id 42 to 127.0.0.1 port 1812
>> User-Name = "wgraeber"
>> User-Password = "XXX"
>> NAS-IP-Address = 127.0.0.1
>> NAS-Port = 10
>>rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=42, length=37
>> Tunnel-Type:0 = VLAN
>> Tunnel-Medium-Type:0 = 802
>> Tunnel-Private-Group-Id:0 = "100"
>>
>>Furthermore, the Tunnel-Type, Tunnel-Medium-Type, and
>>Tunnel-Private-Group-Id attributes in the console when actually
>>authenticating and watching the output of "radiusd -X" on another
>>machine. The access point *should* support this out of the box
>>according to the Cisco specs. This is my first FreeRADIUS
>>implementation, so I don't know if I'm missing any magic options.
>>
>
> You have done what you were suposed to on freeradius. Do debug aaa on
> Cisco and see what has happened to the attributes.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list