Assign VLAN from freeradius to Cisco 3550 switch.

Brian Julin BJulin at clarku.edu
Wed Apr 25 15:07:17 CEST 2012 

Wassim Zaarour wrote:
> Look at this
> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40162.html
>
> The user says that it worked, I tried the attributes he used and still got
> the same error.

I don't even know how this was ever working for that user.  On my wired switch plant, which
includes some 3550s, wherever I have tested VLAN assignment I have had to use Cisco's
cretinous hack:


 if (Cisco-AVPair) { # Cisco switch.
              # We have to "Accept" it to the Registration VLAN manually
              # (because host-mode multi-auth is currently retarded.)
              update reply {
                Tunnel-Type = VLAN
                Tunnel-Medium-Type = 6
                # CISCO broke the IETF attribute...
                # Tunnel-Private-Group-Id = "Registration"
                # ... so use their proprietary method to get it in there.
                # NOTE: This is CaSe SeNsItIvE!!
                Cisco-AVPair += "tunnel-private-group-id=Registration"
              }

This is of course extremely case-sensitive.  It also uses the vlan names, not the numbers, though
you can use the automatically generated names just fine.

Be warned the 3550s are old EOL switches and their latest software version (the one that is only
supposed to be used for the 24 port switch but works on the 48 port one) is still not current enough
to pick up the latest bugfixes to multi-auth mode.  Not that multi-auth mode works sensibly in the
newest firmware either, but at least it has workarounds.

(BTW, even I am starting to pull these 3550s from the net, and I tend to try to bleed devices for every
minute they can manage to hack it.  Right now the only ones I have out there are essentially
serving as lightening rods for this summer's thunder storms, and then will be replaced by new
switches after that.)

Typical switch port configuration (this is not from a 3550, sorry):


interface FastEthernet0/24
 switchport access vlan XXX
 switchport mode access
 switchport block unicast
 switchport port-security maximum 16
 switchport port-security
 switchport port-security aging time 240
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 ip arp inspection limit rate 100
 authentication control-direction in
 authentication event fail action authorize vlan YYY
 authentication event server dead action authorize vlan XXX
 authentication event no-response action authorize vlan XXX
 authentication event server alive action reinitialize 
 authentication host-mode multi-auth
 authentication order mab
 authentication priority mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 1300
 authentication timer inactivity 1200
 authentication violation restrict
 mab      
 no lldp transmit
 no lldp receive
 no cdp enable
 no cdp tlv server-location 
 no cdp tlv app
 spanning-tree portfast
 spanning-tree bpduguard enable
 ip verify source port-security
 ip dhcp snooping limit rate 50
end       


XXX and YYY above are actually decimals.

Note that the auth-fail VLAN setting is not actually used, because in order to get multi-auth to behave
sensibly (so you can handle VMs) you have to actually succeed every authentication and just send
the  quaranteen VLAN from RADIUS when you want the user locked out.

More information about the Freeradius-Users mailing list