Authentication probation for VLAN
Alexander Clouter
alex at digriz.org.uk
Thu Aug 25 21:43:09 CEST 2011
joaocdc at gmail.com <joaocdc at gmail.com> wrote:
>
> This model is funcionaç, however have a problem (very serious), Radius does
> not know from which SSID the client is trying to authenticate, or whether it
> decides the basis solely of the Realm authentication of the client. I need
> to make the Radius check the VLAN that is associated with the request for
> user authentication. Check through the debug radius that an Access-Request
> packet has the following information:
>
> ...
> rad_recv: Access-Request packet from host 192.168.254.48 port 32769, id=204,
> length=184
> User-Name = "joao at fpti"
> Calling-Station-Id = "68-a3-c4-85-c5-89"
> Called-Station-Id = "00-26-cb-94-65-60:FPTI"
> NAS-Port = 29
> NAS-IP-Address = 192.168.254.48
> NAS-Identifier = "WLC-PTI"
> Airespace-Wlan-Id = 1
> Service-Type = Framed-User
> Framed-MTU = 1300
> NAS-Port-Type = Wireless-802.11
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> * Tunnel-Private-Group-Id:0 = "5"*
>
string != integer
Tunnel-Private-Group-Id is a string.
I have to do a similar thing to map a silly attribute coughed up by
Cisco's useless WLC:
---- policy.conf ----
rewrite.quirk.wlc {
if (NAS-IP-Address == 172.16.3.124 && NAS-Identifier == "wlc-01") {
switch "%{Airespace-Wlan-Id}" {
case "1" {
update request {
NAS-Port-Id := "eduroam"
}
}
case "5" {
update request {
NAS-Port-Id := "UTILICOM"
}
}
case "6" {
update request {
NAS-Port-Id := "BTOpenzone"
}
}
case "7" {
update request {
NAS-Port-Id := "soas-wpa-psk"
}
}
case {
update request {
NAS-Port-Id := "UNKNOWN"
}
}
}
...
}
----
You should use (I am almost certain you should not be looking at tagged
attributes, so drop the ':0' too):
---- notice the "...." ----
if (Tunnel-Private-Group-Id == "5") {
[stuff]
}
----
Cheers
--
Alexander Clouter
.sigmonster says: Do not apply to broken skin.
More information about the Freeradius-Users
mailing list