VLAN Assignment of Wifi-Clients

Marten Pape Marten.Pape at pape-hn.de
Mon Aug 30 20:42:41 CEST 2010 

Hello!
I got to work my freeradius configuration for the following environment:
*Freeradius client is a wifi access point, wifi-clients can connect via
wpa2-enterprise / eap-peap
*i'm still using test certificates
*The data-Backend is a mysql-storage with a different table structure
that default. The queries that I've changed work correctly. This has
been tested
*My tests are done with a linux wifi-client using wpa_supplicant and
kde-frontends

Now my goal is to tell the NAS to assign every wifi-packet to a certain
VLAN. I don't need to have a dynamic assignment of VLAN based on
usernames or something else. One VLAN would be sufficient.

The solution I found was to insert the following lines into the
radgroupreply table (splitted up into the correct columns...):
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = 10

After I've done this entry, I hoped that it would work, but it didn't.
There is no dialogue that contains such information. Below I pasted such
a dialogue. Can you please help me to find the problem and a working
solution for it? I'm not sure if eap/peap and tunnelling is working in
the correct way...

Thank you!
Marten

rad_recv: Access-Request packet from host 172.20.160.40 port 32768,
id=165, length=261
        User-Name = "marpap"
        NAS-IP-Address = 172.20.160.40
        NAS-Port = 0
        Called-Station-Id = "00-18-84-A2-7D-C5:ABH-Radiustest"
        Calling-Station-Id = "00-60-B3-63-4E-03"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message =
0x02a100601900170301002008e9b2a352735ed2407406268dd56051d9adc7798d3cda8b660c740ba3871bd6170301003042f11b790723eaeeed249cadbf49997f453b7806afe61b6a40af64c3995ecc43952584e4d7e221c4596e9479d56be47a
        State = 0x4135755949946c07b29c66b8d618b063
        Message-Authenticator = 0x9ab8793841a539e9a2086d12d79b2b38
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 161 length 96
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> marpap
[sql] sql_set_user escaped user --> 'marpap'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                          
(username, pass, reply, authdate)                           VALUES
(                           '%{User-Name}',                          
'%{%{User-Password}:-%{Chap-Password}}',                          
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth                           (username, pass, reply,
authdate)                           VALUES (                          
'marpap',                           '',                          
'Access-Accept', '2010-08-30 17:54:46')
[sql]   expand: /var/log/freeradius/sqltrace.sql ->
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth                           (username, pass, reply,
authdate)                           VALUES (                          
'marpap',                           '',                          
'Access-Accept', '2010-08-30 17:54:46')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  INSERT INTO radpostauth                          
(username, pass, reply, authdate)                           VALUES
(                           'marpap',                          
'',                           'Access-Accept', '2010-08-30 17:54:46')
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[exec] returns noop
Sending Access-Accept of id 165 to 172.20.160.40 port 32768
        MS-MPPE-Recv-Key =
0x63de979ef48495f1fe3db129c78383084c9d5661e2e14b85c89a4596e96756eb
        MS-MPPE-Send-Key =
0x010d4434923d42929b0d7d1b595e991391bf7c0ec6a70ee391591593fac04815
        EAP-Message = 0x03a10004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "marpap"
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.


gahn schrieb:
> Thanks. Matteo:
>
> But I don't have this 192.168.1.29 in my network and I have not configured any NAS yet. it was just genetic tests based on "radtest"...
>
>
>
> --- On Mon, 8/30/10, matteo at crs4.it <matteo at crs4.it> wrote:
>
>   
>> From: matteo at crs4.it <matteo at crs4.it>
>> Subject: Re: radius newbie question
>> To: freeradius-users at lists.freeradius.org
>> Date: Monday, August 30, 2010, 10:33 AM
>> Hello gahn,
>> that's ithe IP address of an Access Point you're using to
>> connect to  
>> the network, or a switch, for example.
>> Matteo
>>
>>
>>
>>
>> Quoting gahn <ipfreak at yahoo.com>:
>>
>>     
>>> Ok.
>>>
>>> now I started the server with "radiusd -X" and run
>>>       
>> "radtest testing   
>>     
>>> password localhost 10 secret test123":
>>>
>>> bn_1# radtest testing password localhost 10 secret
>>>       
>> test123
>>     
>>> Sending Access-Request of id 158 to 127.0.0.1 port
>>>       
>> 1812
>>     
>>>          User-Name =
>>>       
>> "testing"
>>     
>>>          User-Password =
>>>       
>> "password"
>>     
>>>          NAS-IP-Address =
>>>       
>> 192.168.1.29
>>     
>>>          NAS-Port = 10
>>>          Framed-Protocol
>>>       
>> = PPP
>>     
>>> radclient: Failed to send packet for ID 158: (unknown
>>>       
>> error)
>>     
>>> Sending Access-Request of id 158 to 127.0.0.1 port
>>>       
>> 1812
>>     
>>>          User-Name =
>>>       
>> "testing"
>>     
>>>          User-Password =
>>>       
>> "password"
>>     
>>>          NAS-IP-Address =
>>>       
>> 192.168.1.29
>>     
>>>          NAS-Port = 10
>>>          Framed-Protocol
>>>       
>> = PPP
>>     
>>> radclient: Failed to send packet for ID 158: (unknown
>>>       
>> error)
>>     
>>> Sending Access-Request of id 158 to 127.0.0.1 port
>>>       
>> 1812
>>     
>>>          User-Name =
>>>       
>> "testing"
>>     
>>>          User-Password =
>>>       
>> "password"
>>     
>>>          NAS-IP-Address =
>>>       
>> 192.168.1.29
>>     
>>>          NAS-Port = 10
>>>          Framed-Protocol
>>>       
>> = PPP
>>     
>>> radclient: Failed to send packet for ID 158: (unknown
>>>       
>> error)
>>     
>>> radclient: no response from server for ID 158 socket
>>>       
>> 3
>>     
>>> but the server debug didn't show anything:
>>>
>>> Listening on authentication address * port 1812
>>> Listening on accounting address * port 1813
>>> Listening on command file
>>>       
>> /var/run/radiusd/radiusd.sock
>>     
>>> Listening on proxy address * port 1814
>>> Ready to process requests.
>>>
>>>
>>> where did that "NAS-IP-Address = 192.168.1.29" come
>>>       
>> from?
>>     
>>> Thanks in advance
>>>
>>> --- On Sat, 8/28/10, gahn <ipfreak at yahoo.com>
>>>       
>> wrote:
>>     
>>>> From: gahn <ipfreak at yahoo.com>
>>>> Subject: Re: radius newbie question
>>>> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
>>>> Date: Saturday, August 28, 2010, 11:56 AM
>>>> thanks.
>>>>
>>>> giraffe is the temp hostname (for now).. it is
>>>>         
>> behind a dsl
>>     
>>>> link at this moment and this public address is
>>>>         
>> listed in
>>     
>>>> ddns.
>>>>
>>>> once i pointed my /etc/resolv.conf to that ddns
>>>> provider,the "radtest" worked as it is designed.
>>>>
>>>> But why?
>>>>
>>>> --- On Sat, 8/28/10, Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
>>>> wrote:
>>>>
>>>>         
>>>>> From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
>>>>> Subject: Re: radius newbie question
>>>>> To: "FreeRadius users mailing
>>>>>           
>> list"   
>>     
>>>> <freeradius-users at lists.freeradius.org>
>>>>         
>>>>> Date: Saturday, August 28, 2010, 11:46 AM
>>>>> Hi,
>>>>>
>>>>>           
>>>>>> host# radtest testing password localhost
>>>>>>             
>> 10
>>     
>>>>> testing123
>>>>>           
>>>>>> radclient:: Failed to find IP address
>>>>>>             
>> for
>>     
>>>> giraffe
>>>>         
>>>>>> radclient: Nothing to send.
>>>>>>             
>>>>> where does giraffe come from?  whats in
>>>>>           
>> your
>>     
>>>>> /etc/resolv.conf?
>>>>>
>>>>> alan
>>>>> -
>>>>> List info/subscribe/unsubscribe?
>>>>>           
>> See   
>>     
>>>> http://www.freeradius.org/list/users.html
>>>>         
>>>>      
>>>>
>>>>
>>>> -
>>>> List info/subscribe/unsubscribe?
>>>>         
>> See   
>>     
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>>         
>>>
>>>
>>>
>>> -
>>> List info/subscribe/unsubscribe?
>>>       
>> See   
>>     
>>> http://www.freeradius.org/list/users.html
>>>
>>>       
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging
>> Program.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>     
>
>
>       
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100830/335873c3/attachment.html>

More information about the Freeradius-Users mailing list