VLAN attribution in an eduroam setting - proxied users
Rui Ribeiro
ruyrybeyro at gmail.com
Tue Dec 20 12:52:17 CET 2011
Good morning list,
I´ve been setting up a freeradius to operate in the eduroam environment.
At the moment my problem is the VLAN attribution that is done depending on the Windows domain of the user, or if it is in roaming from another institution.
I´ve solved the VLAN based in the Windows domain, using in the /etc/freeradius/users file the following directives.
DEFAULT Ldap-Group == "ISCTE"
Service-Type = "Framed-User",
Reply-Message = "Eduroam ISCTE",
Framed-MTU = 1300,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "211"
DEFAULT Ldap-Group == "Alunos"
Service-Type = "Framed-User",
Reply-Message = "Eduroam Alunos",
Framed-MTU = 1300,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = "212"
As for the VLAN attribution wether the user is a roaming user (i.e. goes to a proxy to be authenticated), I have done several tries, without sucess. Haven't managed to do it through the users file above;my last attemp was trying to setting them up in the /etc/freeradius/attrs file with attr_filter.post-proxy, however it seems to interfere with the AEP/password negotiation. The setup is as follows, and I would like to ask for an alternative of where to insert the roaming VLAN.
post-proxy {
post_proxy_log
attr_filter.post-proxy # here <---------------------------
Post-Proxy-Type Fail {
detail
}
}
and then the attrs file:
DEFAULT
EAP-Message =* ANY,
User-NAme =* ANY,
MS-MPPE-Send-Key =* ANY,
MS-MPPE-Recv-Key =* ANY,
Message-Authenticator =* ANY,
State =* ANY,
Reply-Message =* ANY,
Proxy-State =* ANY,
Session-Timeout =* ANY,
Idle-Timeout =* ANY,
MS-CHAP-MPPE-Keys =* ANY,
Service-Type := "Framed-User",
Reply-Message := "Eduroam Roaming",
Tunnel-Type := "VLAN",
Tunnel-Medium-Type := "IEEE-802",
Tunnel-Private-Group-Id := "216",
Framed-MTU := 1300,
Framed-Filter-ID =* ANY
Regards,
Rui Ribeiro
More information about the Freeradius-Users
mailing list