how to send wifi connection attributes.

Ramon Escriba escriba at cells.es
Wed Apr 13 15:42:28 CEST 2011 

Hi all,
I've a mac authentication schema working.
Now I want to add 802.1x Eap+Mschapv2 for WiFI/Wire.

We're using Aruba's AP.

Aruba it's very peculiar, it extends an aruba-ap vlan between the controller
& the AP's.  
The other configured vlans are secure tunnels inside this "aruba-ap" vlan.

Our Aruba wifi has 2 main vlans, one for data the other for voip (alias SSID
wifidata & wifivoip) with diff QoS.

The test user "aaa" authentication it's correct, but I'm still not able to
send to my aruba controller the vlan the 
authenticated user should be attach too. So to wifidata with a laptop, but
to wifivoip with a mobile.

I do cheat adding to the test user "aaa" a pair of radiusReplyItem
attributes:

        Aruba-User-Vlan = 4000
        Aruba-User-Role = "authenticated"

The cheat works:

(....)
++[exec] returns noop
Sending Access-Accept of id 166 to 84.89.232.250 port 32834
       Tunnel-Private-Group-Id:0 = "X1"
       Aruba-User-Vlan = 4000
       Aruba-User-Role = "authenticated"
       User-Name = "aaa"
       MS-MPPE-Recv-Key =
0x634d9e2f148f2484671e78e939bb4a9661ac05f1f242a016e9b16458538d6632
       MS-MPPE-Send-Key =
0x24d48bb9ce204be409131d3dd3226c4bb7bee7805c5dd006b25e2f9d0faca881
       EAP-Message = 0x03260004
       Message-Authenticator = 0x00000000000000000000000000000000
Finished request 55.
(...)

But without the cheat, does not. It connects correctly to the wifi, but as
is attached to an incorrect vlan
,in our case the aruba-ap vlan, it does not get a correct ip from our dhcp.

(.....)
Sending Access-Accept of id 121 to 84.89.232.250 port 32834
       Tunnel-Private-Group-Id:0 = "X1"
       User-Name = "aaa"
       MS-MPPE-Recv-Key =
0x6859e312650c6232d0b20930eba797e110036da56fb710248c676ba5558e05e0
       MS-MPPE-Send-Key =
0x3520313eb26c8f00f9a4d561aa183cc3991d38dd89d43322ad32a80437f172d9
       EAP-Message = 0x030c0004
       Message-Authenticator = 0x00000000000000000000000000000000
Finished request 10.
Going to the next request


The problem is one user "aaa" may be able to connect to wifidata & wifivoip
with diferent devices (laptop / mobile).

Any clue? Where should I force the radiusReplyItem ???

Regards.

More information about the Freeradius-Users mailing list