MAC based authentication

Chun (Andrew) Xu cxu at unbsj.ca
Tue Aug 10 19:07:13 CEST 2010 

I forgot to mention one thing.  I am using VLAN name instead of VLAN ID to do dynamic VLAN assignment.  It works for me.  You could try the followings.

aa00007f9c90    Auth-Type := "EAP", Cleartext-Password == aa00007f9c90
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = "PRIV0"

-----Original Message-----
From: freeradius-users-bounces+cxu=unbsj.ca at lists.freeradius.org [mailto:freeradius-users-bounces+cxu=unbsj.ca at lists.freeradius.org] On Behalf Of ralfheise at freenet.de
Sent: August 10, 2010 1:11 PM
To: freeradius-users at lists.freeradius.org
Subject: RE: RE: MAC based authentication

Phil Mayers wrote:
> You've enabled 802.1x, not MAC-based VLANs. You'll need to configure 802.1x at the servers or configure MAC-based auth at the switch.

I thought I'd. Indeed authentication is working now, however the switch doesn't assign clients to the VLAN the RADIUS server instructs to. May be off-topic, but would you mind give me hint?

The EX monitor output gives me:

Aug 10 17:57:42.740610 Processing authentication response complete
Aug 10 17:57:42.740657  authentication client
Aug 10 17:57:42.740723 Sending message to authentication client
Aug 10 17:57:42.742750 Received message from authentication client
Aug 10 17:57:42.742815 reply: 1aba028 rply_hdr: 1abc000 bytes_remnant :0 len:2757 reply_len:2757
Aug 10 17:57:42.742845 hdr_bytes_read 0
Aug 10 17:57:42.742865 len read : 28 reply_len: 2735
Aug 10 17:57:42.742917 bytes_remnant 2707 tot_bytes_read 28
Aug 10 17:57:42.742954 bytes_read 2707
Aug 10 17:57:42.742974 Creating background job to process reply from authentication client
Aug 10 17:57:42.743103 Entering background job to process message from authentication client
Aug 10 17:57:42.743132 process_auth_reply len:2735
Aug 10 17:57:42.743157 Received VLAN ID/name 110 from authentication server
Aug 10 17:57:42.743199 Invoking state machine for authentication response for mac address AA:00:00:7F:9C:90 
Aug 10 17:57:42.743223 on intf ge-1/0/4.0
. ...


and 

root at EX4200-VC> show dot1x interface 
802.1X Information:
Interface Role State MAC address User
ge-1/0/4.0 Authenticator Authenticated AA:00:00:7F:9C:90 aa00007f9c90 


However:

root at EX4200-VC> show vlans PRIV0 
Name Tag Interfaces
PRIV0 110 
 None

root at EX4200-VC> show vlans default 
Name Tag Interfaces
default 
 ge-1/0/4.0*, ge-1/0/5.0*


That's odd, since I think I did everything appropriate. A snippt from configuration:



interfaces { 
. ..
 ge-1/0/4 { 
 unit 0 { 
 family ethernet-switching;
 } 
 } 
 ge-1/0/5 { 
 unit 0 { 
 family ethernet-switching;
 } 
 } 
. ..
protocols { 
. ..
 dot1x { 
 traceoptions {
 file dot1x;
 flag state;
 flag dot1x-debug;
 } 
 authenticator {
 authentication-profile-name auth;
 interface {
 ge-1/0/4.0 {
 supplicant multiple;
 mac-radius {
 restrict;
 }
 } 
 ge-1/0/5.0 {
 supplicant multiple;
 mac-radius {
 restrict;
 }
 } 
 } 
 } 
. ..
access { 
 radius-server { 
 10.10.10.10 {
. ..
 } 
 } 
 profile auth { 
 authentication-order radius;
 radius { 
 authentication-server 10.10.10.10;
 } 
 } 
} 
vlans { 
. ..
 PRIV0 { 
 vlan-id 110;
 } 
} 





freenetMail mobil – Alle E-Mails auf Ihrem Handy versenden und empfangen.
Jetzt kinderleicht und kostenlos einrichten. http://tls.freenet.de/tipp/handymail/index.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list