problem in assigning Tunnel-Private-Group-ID

syharash syharash at yahoo.com
Fri Apr 8 15:10:21 CEST 2011 

Hi,

My freeradius is set and working fine, the authentication is successful on a
windows XP machine on the wireless network. I am using Cisco Switches and
Ruckus Zone Director 1000 with Ruckus AP's. They are connected to the
switches on the trunk ports with all vlans allowed. 

I get the following PEAP output;

[peap] Got tunneled reply code 2
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Service-Type = Framed-User
        Tunnel-Private-Group-Id:0 = "18"
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0x4f6c9d87690bee0a58553bc0511d5d8b
        MS-MPPE-Recv-Key = 0x3a8d8e6495f46657b8eb7fd7de5414ca
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "abdul"
[peap] Got tunneled reply RADIUS code 2
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Service-Type = Framed-User
        Tunnel-Private-Group-Id:0 = "18"
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0x4f6c9d87690bee0a58553bc0511d5d8b
        MS-MPPE-Recv-Key = 0x3a8d8e6495f46657b8eb7fd7de5414ca
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "abdul"
[peap] Tunneled authentication was successful.

but the machine does not get the IP address from the vlan id assigned to it,
i get this output;

[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 182 to 10.73.93.151 port 1036
        EAP-Message =
0x010b00261900170301001b02e15cc2abe26c501fdcd17fcd4f071c3f8a537b5dd5b0ebb210e9
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x5b2c3d415227240db5e9ddff32a6a83d
Finished request 9.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.73.93.151 port 1036, id=183,
length=231
        User-Name = "abdul"
        Calling-Station-Id = "00-1F-3C-E1-17-A9"
        NAS-IP-Address = 10.73.93.151
        NAS-Port = 1
        Called-Station-Id = "AC-67-06-39-CB-0D"
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "AC-67-06-39-CB-0D"
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
0x020b00261900170301001bbb6ec9c29da3419792e34574056635e11eee7834778d5fad460595
        State = 0x5b2c3d415227240db5e9ddff32a6a83d
        Vendor-25053-Attr-3 = 0x55464f4d6f7669657a
        Message-Authenticator = 0x4263907cbffb8eec9f8b93a9138037dd
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "abdul", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
Login OK: [abdul] (from client UFO-Network port 1 cli 00-1F-3C-E1-17-A9)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 183 to 10.73.93.151 port 1036
        MS-MPPE-Recv-Key =
0x2427d16802fc1cc49ddea287efb9c9d5ba0f8698cc2a9ea300c43d46d720a4d5
        MS-MPPE-Send-Key =
0xc3d215b48856c14b29eb75f29b0fbeb6c3a3c83ed5d657259df03cb3759c4d9f
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "abdul"
Finished request 10.
Going to the next request
Waking up in 4.5 seconds.
Cleaning up request 0 ID 173 with timestamp +8
Waking up in 0.3 seconds.
Cleaning up request 1 ID 174 with timestamp +9
Cleaning up request 2 ID 175 with timestamp +9
Cleaning up request 3 ID 176 with timestamp +9
Cleaning up request 4 ID 177 with timestamp +9
Cleaning up request 5 ID 178 with timestamp +9
Cleaning up request 6 ID 179 with timestamp +9
Cleaning up request 7 ID 180 with timestamp +9
Cleaning up request 8 ID 181 with timestamp +9
Cleaning up request 9 ID 182 with timestamp +9
Cleaning up request 10 ID 183 with timestamp +9
Ready to process requests.
rad_recv: Accounting-Request packet from host 10.73.93.151 port 1044,
id=184, length=213
        User-Name = "abdul"
        Acct-Status-Type = Start
        Acct-Authentic = RADIUS
        Framed-IP-Address = 169.254.67.194
        Calling-Station-Id = "00-1F-3C-E1-17-A9"
        NAS-IP-Address = 10.73.93.151
        NAS-Port = 1
        Called-Station-Id = "AC-67-06-39-CB-0D"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "AC-67-06-39-CB-0D"
        Connect-Info = "AC-67-06-39-CB-0D"
        Acct-Session-Id = "4D9EBE6D-00000037"
        Acct-Multi-Session-Id = "ac670639cb0d001f3ce117a94d9f077c00d2"
        Vendor-25053-Attr-3 = 0x55464f4d6f7669657a
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 1,Client-IP-Address =
10.73.93.151,NAS-IP-Address = 10.73.93.151,Acct-Session-Id =
"4D9EBE6D-00000037",User-Name = "abdul"'
[acct_unique] Acct-Unique-Session-ID = "c55f8220b641e9bd".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "abdul", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail]        expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
/var/log/radius/radacct/10.73.93.151/detail-20110408
[detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/10.73.93.151/detail-20110408
[detail]        expand: %t -> Fri Apr  8 18:38:10 2011
++[detail] returns ok
++[unix] returns ok
[radutmp]       expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp]       expand: %{User-Name} -> abdul
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response]       expand: %{User-Name} -> abdul
 attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 184 to 10.73.93.151 port 1044
Finished request 11.
Cleaning up request 11 ID 184 with timestamp +68
Going to the next request
Ready to process requests.

I have checked the /etc/raddb/users, which looks like this;

DEFAULT
                Tunnel-Type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Service-Type = Framed-User,
                Fall-Through = Yes

abdul           Cleartext-Password := "test123"
                Tunnel-Private-Group-ID = 18

Is there anything that I need to do on the FreeRadius or is it my switches
or the Zone Director which is the culprit. Please help.

Syed

--
View this message in context: http://freeradius.1045715.n5.nabble.com/problem-in-assigning-Tunnel-Private-Group-ID-tp4290798p4290798.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list