Using FreeRadius to override VLAN Assignment

Brian Julin BJulin at clarku.edu
Wed Jan 4 19:48:30 CET 2012


A few things -- I do note the case doesn't match (-id vs -Id)  in your original paste.  Second, even though the value of 16 is not what you want, even if you get that fixed, note that it is not being copied to the outer reply (e.g. with use_tunelled_reply in peap, or maybe you are filtering it away in ./attrs.)

(Also note that once you get that working, it should work, but there are some Cisco devices that instead want Cisco-AVPair += "tunnel-private-group-id=XXX", though I have only seen this on wired switches not APs.)

________________________________
From: freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org] On Behalf Of McSparin, Joe
Sent: Wednesday, January 04, 2012 1:37 PM
To: FreeRadius users mailing list
Subject: RE: Using FreeRadius to override VLAN Assignment

Here is my radiusd -X it looks to me like the Access-Accept is not returning the vlan with it.

# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "16"
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xa15daac8db91138c9543ff1dd79193d8
        MS-MPPE-Recv-Key = 0x5b23ada7251bf55e939f78211bc91ee9
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "jmcsparin"
[peap] Got tunneled reply RADIUS code 2
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "16"
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xa15daac8db91138c9543ff1dd79193d8
        MS-MPPE-Recv-Key = 0x5b23ada7251bf55e939f78211bc91ee9
        EAP-Message = 0x030a0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "jmcsparin"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 199 to 10.1.1.50 port 35858
        EAP-Message = 0x010b002b19001703010020c4f38e69d73c88a387eba5b0923e812f7d609d6c9d329f90acd78fc19eb2381f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x11074b60180c524471e7db294b4fecfb
Sending Access-Accept of id 200 to 10.1.1.50 port 35858
        MS-MPPE-Recv-Key = 0x3d7918ad48100976d9f4db012a50f82b6dba74d3777f6bdca2648b0db3eb9650
        MS-MPPE-Send-Key = 0xd4fcd3d81bc0e75431a4baa52fff9b7dce70f1cf1025fe2aac060f30f45b35bb
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "jmcsparin"
Finished request 49.


Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcsparin at hillcountrymemorial.org



________________________________
From: freeradius-users-bounces+jmcsparin=hillcountrymemorial.org at lists.freeradius.org [mailto:freeradius-users-bounces+jmcsparin=hillcountrymemorial.org at lists.freeradius.org] On Behalf Of Brian Julin
Sent: Wednesday, January 04, 2012 10:49 AM
To: FreeRadius users mailing list
Subject: RE: Using FreeRadius to override VLAN Assignment

The first order of business would be to freeradius in debug mode, or launch an eapol_test client against it, and look to see whether the attribute is being sent.  If you do not know whether the attribute is being sent, you cannot determine whether it is the AP or the freeradius server that needs fixing.

________________________________
From: freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org [mailto:freeradius-users-bounces+bjulin=clarku.edu at lists.freeradius.org] On Behalf Of McSparin, Joe
Sent: Wednesday, January 04, 2012 11:00 AM
To: FreeRadius users mailing list
Subject: Using FreeRadius to override VLAN Assignment


I have put the following into my users files

DEFAULT  Auth-Type = "ntlm_auth"
                Tunnel-Type = "VLAN",
                Tunnel-Medium-Type = "IEEE-802",
                Tunnel-Private-Group-id = "1001"

I have told my access point to Allow RADIUS Override on the VLAN Assignment however the VLAN is not getting overridden.  Does the Above entry into my users file not actually send back a vlan assignment and if not is there somewhere else this is supposed to be done?

Joseph R. McSparin
Network Administrator
Hill Country Memorial Hospital
830 990 6638 phone
830 990 6623 fax
jmcsparin at hillcountrymemorial.org

________________________________
This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.

________________________________
This email message and any attachments are for the sole use of the intended recipient(s) and contain confidential and/or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120104/22f1bcde/attachment.html>


More information about the Freeradius-Users mailing list