Radius should assign based on the connected SSID/VLAN different Authentications rules ...
Philipp Hanselmann
philipp.hanselmann at qnamic.com
Fri Jan 21 14:18:52 CET 2011
Hi,
We have the following setup:
Wireless Client (authentication with EAP-TTLS/PAP)
|
| SSID (wlan)
\/
WLAN Access Point (NAS with EAP-PEAP, Cihpher TKIP ) -> SSID: wlan
connected to VLAN 111
|
|
\/
Radius Server
(Check if user in member of the LDAP group company-users)
If yes, check his credentials with the LDAP Server.
|
|
\/
LDAP Server (for Authentication)
Up to know this is working.
Now the idea is that the same AP is managing a second SSID called
wlan-public. This SSID should be connection too a separate VLAN (ID
113). Mostly this SSID should be used by our guests for basic Internet
access (No access to our company network)
To release that the RADIUS server must be able to detect the connected
SSID. Based on that different users groups are allowed.
We noticed that the AP is informing the Radius about the connected SSID
(see below),
but we couldn't figure out the right way to detect that the information
or too use it.
We tried to detect the value Cisco-AVPair with
/etc/freeradius/users
<snip>
# wlan-public - Connected to guest vlan - four our guest.
# (Access with user guest, password guest)
DEFAULT Cisco-AVPair =~ "ssid=wlan-public"
Reply-Message = "Your SSID:qwlan-public",
Fall-Through = Yes
# debug
DEFAULT
Reply-Message = "Cisco-AVPair: %{Cisco-AVPair[*]}",
Fall-Through = Yes
# qwlan - Connected to company vlan - for our employees -
membership company-users is needed
# (Access with every LDAP account, No access with the user guest)
DEFAULT Cisco-AVPair =~ "ssid=wlan"
Reply-Message = "Your SSID:wlan",
Fall-Through = Yes
DEFAULT Ldap-Group == "company-users"
Reply-Message = "Welcome to the Wireless Network wlan"
<\snip>
but without success.
Even based on the debug output it looks like that the value
%{Cisco-AVPair[*]} is empty?
Help would be appreciated.
Regards,
Philipp Hanselmann
--
* freeradius -X | grep Cisco
[files] expand: Cisco-AVPair: %{Cisco-AVPair[*]} -> Cisco-AVPair:
Reply-Message = "Cisco-AVPair: "
[files] expand: Cisco-AVPair: %{Cisco-AVPair[*]} -> Cisco-AVPair:
Reply-Message = "Cisco-AVPair: "
[files] expand: Cisco-AVPair: %{Cisco-AVPair[*]} -> Cisco-AVPair:
Reply-Message = "Cisco-AVPair: "
Cisco-AVPair = "ssid=wlan-public"
Cisco-AVPair = "vlan-id=113"
Cisco-AVPair = "nas-location=unspecified"
Cisco-AVPair = "connect-progress=Call Up"
* freeradius -X | grep Cisco
<snip>
++[exec] returns noop
Sending Access-Accept of id 39 to 192.168.110.210 port 1645
MS-MPPE-Recv-Key =
0xdcf7bf00aa1600ac7ba7032d9exxxxxcd5xxxxxxxxxxx115738
MS-MPPE-Send-Key = 0x8cf29e70b657866e446fb2a8c9xxxxxxxxxxxxxxxxxxxc
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "phanselmann"
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Accounting-Request packet from host 192.168.110.21 port 1646,
id=81, length=230
Acct-Session-Id = "00000312"
Called-Station-Id = "001a.e35f.42e1"
Calling-Station-Id = "0090.4b9a.6ac4"
Cisco-AVPair = "ssid=wlan-public"
Cisco-AVPair = "vlan-id=113"
Cisco-AVPair = "nas-location=unspecified"
User-Name = "phanselmann"
Cisco-AVPair = "connect-progress=Call Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
NAS-Port = 392
NAS-Port-Id = "392"
Service-Type = Framed-User
NAS-IP-Address = 192.168.110.21
Acct-Delay-Time = 0
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 392,Client-IP-Address =
192.168.110.21,NAS-IP-Address = 192.168.110.21,Acct-Session-Id =
"00000312",User-Name = "phanse"'
[acct_unique] Acct-Unique-Session-ID = "8eebd433aaed7864".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "p
</snip>
<snip>
--
Philipp Hanselmann
System Administrator
Qnamic AG
Fabrikstrasse 10
CH-4614 Hägendorf
Switzerland
Phone: +41 62 209 70 40
Fax: +41 62 209 70 44
philipp.hanselmann at qnamic.com
www.qnamic.com
More information about the Freeradius-Users
mailing list