Cisco WLC4402 - 802.1X - Android - Tunnel-Priv-Group-ID Failure

Thomas Donnelly tad1214 at gmail.com
Wed Aug 11 19:56:32 CEST 2010


On Wed, 11 Aug 2010 00:46:56 -0500, James J J Hooper  
<jjj.hooper at bristol.ac.uk> wrote:

>
>
> --On 10 August 2010 17:24 -0500 Thomas Donnelly <tad1214 at gmail.com>  
> wrote:
>
>> Hello All,
>>
>> There are quite a few components coming into play here so I'm not  
>> exactly
>> sure whats breaking where.
>>
>> Let me start with explaining our setup:
>>
>> We use cisco 1142 agn lightweight access points connected to a 4402
>> Wireless Lan Controller
>>
>> This controller is doing radius authentication off of Freeradius 1.1.8
>> (with FreeBSD as the Host OS) on our primary ssid.
>> When people authenticate it replies with Tunnel-Private-Group-ID based  
>> on
>> their username/group.
>> This puts them in the correct vlan for their department.
>>
>> This works perfectly fine with our Apple Laptops, iPhones, and iPads.
>>
>> However when I join with my Android phone or my n900 (maemo), I get put
>> in the default vlan for the SSID. After some digging I found the
>> following:
>>
>> When joining from the Apple devices, the User-Name comes accross as
>>
>> Tue Aug 10 17:13:03 2010
>>         User-Name = "someone at somehwere.net"
>>
>> When Joining from my Android, it comes accross as:
>>
>> Tue Aug 10 11:26:53 2010
>>          User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
>>
>> (A few chars changed to prevent the username from being figured out)
>>
>> This somehow is authenticating correctly because I get an IP address (in
>> the incorrect vlan) and can surf the net, and if I mistype the password  
>> I
>> get an authentication failure.
>> However when it tries to do a match for the username to determine their
>> group/vlan it fails because we don't have any users with that user name.
>>
>> Has anyone seen this before or have any leads I should follow?
>
> Hi Tom,
>
> Several small devices (phones etc) send a string such as above as the  
> *outer* user-name - if you don't like this you need to re-config the  
> device where possible [1].
>
> More importantly, it seems you might be deciding VLAN based on the outer  
> user-name in the request - this is bad (arbitrarily spoofable). You  
> should use the EAP inner user-name.
>
> * Upgrading to 2.1.x will make the inner/outer sessions much easier to  
> configure and verify.
>
> * Running radiusd -X [& post here] will confirm if this is the problem.
>
> [1] Maemo: After configuring, you need to click the Advanced-settings  
> button, change to the EAP page, select 'Use manual user name' and enter  
> whatever you want in the box.
> (  
> <http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies>  
> )
>
> Regards,
>   James
>
> --
> James J J Hooper
> Network Specialist
> Information Services
> University of Bristol
> http://www.wireless.bristol.ac.uk 	 	http://www.jamesjj.net
> --
>
>
> -
> List info/subscribe/unsubscribe? See  
> http://www.freeradius.org/list/users.html

Just to finish my follow up.

Using the link provided by James my n900 now works perfectly.

Using Android 2.2 I had to put the username in both the identity and the  
anonymous identity and it worked correctly.

I am still figuring out how to make it auth based on the internal username  
rather than the external.

Thanks again for everyone who replied it was very helpful.

-=tom



-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/



More information about the Freeradius-Users mailing list