Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure
Thomas Donnelly
tad1214 at gmail.com
Wed Aug 11 17:27:04 CEST 2010
On Wed, 11 Aug 2010 00:46:56 -0500, James J J Hooper
<jjj.hooper at bristol.ac.uk> wrote:
>
>
> --On 10 August 2010 17:24 -0500 Thomas Donnelly <tad1214 at gmail.com>
> wrote:
>
>> Hello All,
>>
>> There are quite a few components coming into play here so I'm not
>> exactly
>> sure whats breaking where.
>>
>> Let me start with explaining our setup:
>>
>> We use cisco 1142 agn lightweight access points connected to a 4402
>> Wireless Lan Controller
>>
>> This controller is doing radius authentication off of Freeradius 1.1.8
>> (with FreeBSD as the Host OS) on our primary ssid.
>> When people authenticate it replies with Tunnel-Private-Group-ID based
>> on
>> their username/group.
>> This puts them in the correct vlan for their department.
>>
>> This works perfectly fine with our Apple Laptops, iPhones, and iPads.
>>
>> However when I join with my Android phone or my n900 (maemo), I get put
>> in the default vlan for the SSID. After some digging I found the
>> following:
>>
>> When joining from the Apple devices, the User-Name comes accross as
>>
>> Tue Aug 10 17:13:03 2010
>> User-Name = "someone at somehwere.net"
>>
>> When Joining from my Android, it comes accross as:
>>
>> Tue Aug 10 11:26:53 2010
>> User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
>>
>> (A few chars changed to prevent the username from being figured out)
>>
>> This somehow is authenticating correctly because I get an IP address (in
>> the incorrect vlan) and can surf the net, and if I mistype the password
>> I
>> get an authentication failure.
>> However when it tries to do a match for the username to determine their
>> group/vlan it fails because we don't have any users with that user name.
>>
>> Has anyone seen this before or have any leads I should follow?
>
> Hi Tom,
>
> Several small devices (phones etc) send a string such as above as the
> *outer* user-name - if you don't like this you need to re-config the
> device where possible [1].
>
> More importantly, it seems you might be deciding VLAN based on the outer
> user-name in the request - this is bad (arbitrarily spoofable). You
> should use the EAP inner user-name.
>
> * Upgrading to 2.1.x will make the inner/outer sessions much easier to
> configure and verify.
>
> * Running radiusd -X [& post here] will confirm if this is the problem.
>
> [1] Maemo: After configuring, you need to click the Advanced-settings
> button, change to the EAP page, select 'Use manual user name' and enter
> whatever you want in the box.
> (
> <http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies>
> )
>
> Regards,
> James
>
> --
> James J J Hooper
> Network Specialist
> Information Services
> University of Bristol
> http://www.wireless.bristol.ac.uk http://www.jamesjj.net
> --
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
This totally worked on my n900. Thank you very much. I am going to track
down a user with a 2.1 phone and give it a run. I will report back with my
results
I will also track down what I need to do to get it to auth on the inner
username.
Thanks a ton!
-=Tom
--
Using Opera's revolutionary email client: http://www.opera.com/mail/
More information about the Freeradius-Users
mailing list