Cisco WLC - Freeradius Vlan assigment problem

Martin Silvero silvero.martin at gmail.com
Wed Apr 25 21:49:29 CEST 2012


We are modifying the Wireless acccess to our LAN.
We are trying to use a Cisco WLC and our freeradius. We've been using this
same freeradius for authenticating users against the corporate  LDAP. Now
we want WLC to talk to the radius server without losing any functionality
like user authentication or vlan assignment.

Our main problem is that the vlan assingment is not working when we use the
WLC. The scenario with the APs talking to the radius directly works fine,
but when we use lightweight AP and the WLC we can see that the vlan
assignment part is skipped by the authentication process and all the users
are sent to the same vlan.

The following is the output of the two cases. One of them is a user
authenticating without WLC, the AP talks directly to the Radius Server, and
the other is an authentication where WLC talks to the Radius Server (the
one that is not working)

- 10.32.2.81 is the WLC IP address.

- 10.32.2.39 is the AP IP address.

WLC Soft Version: 7.0.116.0

These are the  outputs:

1) AP - RADIUS (No WLC)

*****************************************************
rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205,
length=184
        User-Name = "fcanales"
        Framed-MTU = 1400
        Called-Station-Id = "001d.4551.7da0"
        Calling-Station-Id = "5894.6b0d.e86c"
        Service-Type = Login-User
        Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4
        EAP-Message =
0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 59460
        State = 0xf4160a33f11e13898255a02243c509d6
        NAS-IP-Address = 10.32.2.39
        NAS-Identifier = "ap-Reco32"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - fcanales
[peap] Got tunneled request
        EAP-Message = 0x0208000d016663616e616c6573
server  {
  PEAP: Got tunneled identity of fcanales
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to fcanales
Sending tunneled request
        EAP-Message = 0x0208000d016663616e616c6573
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "fcanales"
        Framed-MTU = 1400
        Called-Station-Id = "001d.4551.7da0"
        Calling-Station-Id = "5894.6b0d.e86c"
        Service-Type = Login-User
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 59460
        NAS-IP-Address = 10.32.2.39
        NAS-Identifier = "ap-Reco32"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++? if (!Huntgroup-Name)
? Evaluating !(Huntgroup-Name) -> FALSE
++? if (!Huntgroup-Name) -> FALSE
++? if (Huntgroup-Name == "list")
? Evaluating (Huntgroup-Name == "list") -> TRUE
++? if (Huntgroup-Name == "list") -> TRUE
++- entering if (Huntgroup-Name == "list") {...}
+++? if (Ldap-Group == "WIFI-Direccion")
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
        expand: (uid=%u) -> (uid=fcanales)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(uid=fcanales)
rlm_ldap: ldap_release_conn: Release Id: 0
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a
member.
+++? if (Ldap-Group == "WIFI-MKTyCC")
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar

WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a
member.
+++? if (Ldap-Group == "WIFI-TyO")
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO
rlm_ldap: ldap_release_conn: Release Id: 0
? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE
+++? if (Ldap-Group == "WIFI-TyO") -> TRUE
+++- entering if (Ldap-Group == "WIFI-TyO") {...}
++++[reply] returns ok
+++- if (Ldap-Group == "WIFI-TyO") returns ok
+++? if (Ldap-Group == "WIFI-ITfuncional")
rlm_ldap: Entering ldap_groupcmp()
        expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for
details
        expand:
(&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}}))
-> (&(objectClass=posixGroup)(memberUid=fcanales))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales)))
rlm_ldap: object not found
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a member.
++- if (Huntgroup-Name == "list") returns ok
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for fcanales
[ldap]  expand: (uid=%u) -> (uid=fcanales)
[ldap]  expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(uid=fcanales)
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password ==
0x3441313536383141373845384430414446424135364139373343343736374646
rlm_ldap: sambaLmPassword -> LM-Password ==
0x4446323634314431373041414432333739433530313441453437313841374545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user fcanales authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "212"
        EAP-Message =
0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x158baf111582b5a1fb3a126781117cd4
[peap] Got tunneled reply RADIUS code 11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "212"
        EAP-Message =
0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x158baf111582b5a1fb3a126781117cd4
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 205 to 10.32.2.39 port 1645
        EAP-Message =
0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf4160a33f21f13898255a02243c509d6
Finished request 38.

*****************************************************




2) WLC - RADIUS

*****************************************************

rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=119,
length=280
        User-Name = "fcanales"
        Calling-Station-Id = "58-94-6b-0d-e8-6c"
        Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
        NAS-Port = 1
        Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
        NAS-IP-Address = 10.32.2.81
        NAS-Identifier = "Iplan_wcs"
        Airespace-Wlan-Id = 1
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "60"
        EAP-Message =
0x0208002b190017030100200c857843d879e361aad79c8a2dccee6de8b04225d90b753a81b636a8090f0193
        State = 0xcb0bb3aace03aab2864a9aacb255d323
        Message-Authenticator = 0x62ca91e9e88fbba794e6e51db7aa67ec
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - fcanales
[peap] Got tunneled request
        EAP-Message = 0x0208000d016663616e616c6573
server  {
  PEAP: Got tunneled identity of fcanales
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to fcanales
Sending tunneled request
        EAP-Message = 0x0208000d016663616e616c6573
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "fcanales"
        Calling-Station-Id = "58-94-6b-0d-e8-6c"
        Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista"
        NAS-Port = 1
        Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051"
        NAS-IP-Address = 10.32.2.81
        NAS-Identifier = "Iplan_wcs"
        Airespace-Wlan-Id = 1
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "60"
server inner-tunnel {
+- entering group authorize {...}
++[preprocess] returns ok
++? if (!Huntgroup-Name)
? Evaluating !(Huntgroup-Name) -> TRUE
++? if (!Huntgroup-Name) -> TRUE
++- entering if (!Huntgroup-Name) {...}
+++[reply] returns ok
++- if (!Huntgroup-Name) returns ok
++? if (Huntgroup-Name == "list")
    (Attribute Huntgroup-Name was not found)
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "fcanales", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for fcanales
[ldap]  expand: (uid=%u) -> (uid=fcanales)
[ldap]  expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter
(uid=fcanales)
[ldap] looking for check items in directory...
rlm_ldap: sambaNtPassword -> NT-Password ==
0x3441313536383141373845384430414446424135364139373343343736374646
rlm_ldap: sambaLmPassword -> LM-Password ==
0x4446323634314431373041414432333739433530313441453437313841374545
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the
user is configured correctly?
[ldap] user fcanales authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Normalizing NT-Password from hex encoding
[pap] Normalizing LM-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "249"
        EAP-Message =
0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xab42e29bab4bf81ef23bc50dea94c334
[peap] Got tunneled reply RADIUS code 11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "249"
        EAP-Message =
0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xab42e29bab4bf81ef23bc50dea94c334
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 119 to 10.32.2.81 port 32768
        EAP-Message =
0x0109004b1900170301004075cf3c75c7a8311c01bc5581aac330e49586ce6e0001e8add345d7773aeeacba61b235c462fe0966e565d9e6279f111bf94fa3d8a4bff8a4ce82ab24d65f9c31
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcb0bb3aacd02aab2864a9aacb255d323
Finished request 48.
Going to the next request
Waking up in 4.9 seconds.

*****************************************************

Thanks for all.


-- 
--

Silvero Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120425/4200c3a7/attachment-0001.html>


More information about the Freeradius-Users mailing list