MAC based authentication

Chun (Andrew) Xu cxu at unbsj.ca
Tue Aug 10 18:59:06 CEST 2010 

I really think the VLAN assignment problem is related to your EX4200 VC.  FreeRadius had done its job.  You probably have to contact JTAC.  BTW, which version of JUNOS are you running on the EX4200 VC?  The latest version JTAC recommended is 10.0S6.1.  Hope this will help.

-----Original Message-----
From: freeradius-users-bounces+cxu=unbsj.ca at lists.freeradius.org [mailto:freeradius-users-bounces+cxu=unbsj.ca at lists.freeradius.org] On Behalf Of ralfheise at freenet.de
Sent: August 10, 2010 1:11 PM
To: freeradius-users at lists.freeradius.org
Subject: RE: RE: MAC based authentication

Phil Mayers wrote:
> You've enabled 802.1x, not MAC-based VLANs. You'll need to configure 802.1x at the servers or configure MAC-based auth at the switch.

I thought I'd. Indeed authentication is working now, however the switch doesn't assign clients to the VLAN the RADIUS server instructs to. May be off-topic, but would you mind give me hint?

The EX monitor output gives me:

Aug 10 17:57:42.740610 Processing authentication response complete
Aug 10 17:57:42.740657  authentication client
Aug 10 17:57:42.740723 Sending message to authentication client
Aug 10 17:57:42.742750 Received message from authentication client
Aug 10 17:57:42.742815 reply: 1aba028 rply_hdr: 1abc000 bytes_remnant :0 len:2757 reply_len:2757
Aug 10 17:57:42.742845 hdr_bytes_read 0
Aug 10 17:57:42.742865 len read : 28 reply_len: 2735
Aug 10 17:57:42.742917 bytes_remnant 2707 tot_bytes_read 28
Aug 10 17:57:42.742954 bytes_read 2707
Aug 10 17:57:42.742974 Creating background job to process reply from authentication client
Aug 10 17:57:42.743103 Entering background job to process message from authentication client
Aug 10 17:57:42.743132 process_auth_reply len:2735
Aug 10 17:57:42.743157 Received VLAN ID/name 110 from authentication server
Aug 10 17:57:42.743199 Invoking state machine for authentication response for mac address AA:00:00:7F:9C:90 
Aug 10 17:57:42.743223 on intf ge-1/0/4.0
. ...


and 

root at EX4200-VC> show dot1x interface 
802.1X Information:
Interface Role State MAC address User
ge-1/0/4.0 Authenticator Authenticated AA:00:00:7F:9C:90 aa00007f9c90 


However:

root at EX4200-VC> show vlans PRIV0 
Name Tag Interfaces
PRIV0 110 
 None

root at EX4200-VC> show vlans default 
Name Tag Interfaces
default 
 ge-1/0/4.0*, ge-1/0/5.0*


That's odd, since I think I did everything appropriate. A snippt from configuration:



interfaces { 
. ..
 ge-1/0/4 { 
 unit 0 { 
 family ethernet-switching;
 } 
 } 
 ge-1/0/5 { 
 unit 0 { 
 family ethernet-switching;
 } 
 } 
. ..
protocols { 
. ..
 dot1x { 
 traceoptions {
 file dot1x;
 flag state;
 flag dot1x-debug;
 } 
 authenticator {
 authentication-profile-name auth;
 interface {
 ge-1/0/4.0 {
 supplicant multiple;
 mac-radius {
 restrict;
 }
 } 
 ge-1/0/5.0 {
 supplicant multiple;
 mac-radius {
 restrict;
 }
 } 
 } 
 } 
. ..
access { 
 radius-server { 
 10.10.10.10 {
. ..
 } 
 } 
 profile auth { 
 authentication-order radius;
 radius { 
 authentication-server 10.10.10.10;
 } 
 } 
} 
vlans { 
. ..
 PRIV0 { 
 vlan-id 110;
 } 
} 





freenetMail mobil – Alle E-Mails auf Ihrem Handy versenden und empfangen.
Jetzt kinderleicht und kostenlos einrichten. http://tls.freenet.de/tipp/handymail/index.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list