Cisco AP/Radius

akkouche akkouchekahina at hotmail.fr
Wed Jun 6 10:31:44 CEST 2012


hello, 

I try to configure freeradius with Mac-Authentication.
but when my client connects it is authorized accerder has a vlan, which is
not permitted for him.

here are my logs: freeradius -X
Sending Access-Accept of id 21 to 157.159.21.222 port 1645
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "33"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 21 with timestamp +38

file user :
001f3c55793b    Auth-Type := Local, Cleartext-Password := "001f3c55793b"
                Tunnel-type = VLAN,
                Tunnel-Medium-Type = IEEE-802,
                Tunnel-Private-Group-ID = 33
configuration of the AP: 

no service pad                                                                  
service timestamps debug datetime msec                                          
service timestamps log datetime msec                                            
service password-encryption                                                     
!                                                                               
hostname wifi-b008                                                              
!                                                                               
enable secret 5 $1$Ah/g$eseM58JsjbqFW7u.uU69t/                                  
!                                                                               
ip subnet-zero                                                                  
ip domain name int-evry.fr                                                      
ip name-server 157.159.10.13                                                    
!                                                                               
!                                                                               
aaa new-model                                                                   
!                                                                               
!                          

aaa group server radius rad_admin                                               
 server 157.159.21.220 auth-port 1812 acct-port 1813                            
 cache expiry 1                                                                 
 cache authorization profile admin_cache                                        
 cache authentication profile admin_cache                                       
!                                                                               
aaa group server tacacs+ tac_admin                                              
 cache expiry 1                                                                 
 cache authorization profile admin_cache                                        
 cache authentication profile admin_cache                                       
!                                                                               
aaa group server radius rad_pmip                                                
!                                                                               
aaa group server radius dummy                                                   
!                                                                               
aaa group server radius rad_srv                                                 
 server 157.159.21.220 auth-port 1812 acct-port 1813                            
!                                           

aaa authentication login mac_methods group rad_srv                              
aaa authorization network default group rad_srv                                 
aaa cache profile admin_cache                                                   
 all                                                                            
!                                                                               
aaa session-id common                                                           
dot11 vlan-name b008Admin vlan 21                                               
dot11 vlan-name etudiants vlan 15                                               
dot11 vlan-name permanents vlan 33                                              
dot11 vlan-name thesards vlan 16                                                
!                                                                               
dot11 ssid b008Admin                                                            
   vlan 21                                                                      
   authentication open                                                          
   authentication key-management wpa                                            
   guest-mode                                                                   
   mbssid guest-mode                                                            
   wpa-psk ascii 7 1248011E01021E0B253F752C3A262B01081917                       
!                  
                                                                                    
!                                                                               
dot11 ssid etudiants                                                            
   vlan 15                                                                      
   authentication open mac-address mac_methods                                  
   mbssid guest-mode                                                            
!                                                                               
dot11 ssid permanents                                                           
   vlan 33                                                                      
   authentication open mac-address mac_methods                                  
   mbssid guest-mode                                                            
!                                                                               
dot11 ssid thesards                                                             
   vlan 16                                                                      
   authentication open mac-address mac_methods                                  
   mbssid guest-mode                                                            
!                                                                               
dot11 aaa authentication mac-authen filter-cache                                
dot11 aaa csid unformatted                                                      
dot11 network-map                                                               
!                                                                               
!                username Cisco password 7 0802455D0A16                                          
!                                                                               
bridge irb                                                                      
!                                                                               
!                                                                               
interface Dot11Radio0                                                           
 no ip address                                                                  
 no ip route-cache                                                              
 !                                                                              
 encryption vlan 16 mode ciphers tkip                                           
 !                                                                              
 encryption vlan 21 mode ciphers tkip                                           
 !                                                                              
 encryption mode wep mandatory   
!                                                                              
 !                                                                              
 encryption vlan 15 key 2 size 128bit 7 704856427E9D21265549561E467E
transmit-ky
 encryption vlan 15 mode wep optional                                           
 !                                                                              
 broadcast-key vlan 33 change 60                                                
 !                                                                              
 !                                                                              
 ssid b008Admin                                                                 
 !                                                                              
 ssid etudiants                                                                 
 !                                                                              
 ssid permanents                                                                
 !                                                                              
 ssid thesards                                                                  
 !                                                                              
 mbssid                                                                         
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0
48.0
 station-role root                                                              
 infrastructure-client
!                                                                               
interface Dot11Radio0.15                                                        
 encapsulation dot1Q 15                                                         
 no ip route-cache                                                              
 bridge-group 2                                                                 
 bridge-group 2 block-unknown-source                                            
 no bridge-group 2 source-learning                                              
 no bridge-group 2 unicast-flooding                                             
 bridge-group 2 spanning-disabled                                               
!                                                                               
interface Dot11Radio0.16                                                        
 encapsulation dot1Q 16                                                         
 no ip route-cache                                                              
 bridge-group 3                                                                 
 bridge-group 3 block-unknown-source                                            
 no bridge-group 3 source-learning                                              
 no bridge-group 3 unicast-flooding                                             
 bridge-group 3 spanning-disabled                                               
!                        

interface Dot11Radio0.21                                                        
 encapsulation dot1Q 21 native                                                  
 no ip route-cache                                                              
 bridge-group 1                                                                 
 bridge-group 1 subscriber-loop-control                                         
 bridge-group 1 block-unknown-source                                            
 no bridge-group 1 source-learning                                              
 no bridge-group 1 unicast-flooding                                             
 bridge-group 1 spanning-disabled                                               
!                                                                               
interface Dot11Radio0.33                                                        
 encapsulation dot1Q 33                                                         
 no ip route-cache                                                              
 bridge-group 4                                                                 
 bridge-group 4 subscriber-loop-control                                         
 bridge-group 4 block-unknown-source                                            
 no bridge-group 4 source-learning                                              
 no bridge-group 4 unicast-flooding                                             
 bridge-group 4 spanning-disabled                                               
!            
!                                                                               
interface FastEthernet0                                                         
 no ip address                                                                  
 no ip route-cache                                                              
 duplex auto                                                                    
 speed auto                                                                     
!                                                                               
interface FastEthernet0.15                                                      
 encapsulation dot1Q 15                                                         
 no ip route-cache                                                              
 bridge-group 2                                                                 
 no bridge-group 2 source-learning                                              
 bridge-group 2 spanning-disabled                                               
!                                                                               
interface FastEthernet0.16                                                      
 encapsulation dot1Q 16                                                         
 no ip route-cache                                                              
 bridge-group 3                                                                 
 no bridge-group 3 source-learning                                              
 bridge-group 3 spanning-disabled                                               
!                    
interface FastEthernet0.21                                                      
 encapsulation dot1Q 21 native                                                  
 no ip route-cache                                                              
 bridge-group 1                                                                 
 no bridge-group 1 source-learning                                              
 bridge-group 1 spanning-disabled                                               
!                                                                               
interface FastEthernet0.33                                                      
 encapsulation dot1Q 33                                                         
 no ip route-cache                                                              
 bridge-group 4                                                                 
 no bridge-group 4 source-learning                                              
 bridge-group 4 spanning-disabled                                               
!                                                                               
interface BVI1                                                                  
 ip address dhcp client-id FastEthernet0                                        
 no ip route-cache    
!                                                                               
ip http server                                                                  
no ip http secure-server                                                        
ip http help-path
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface FastEthernet0                                        
!                                                                               
radius-server attribute list 802                                                
!                                                                               
radius-server attribute list 81                                                 
!                                                                               
radius-server host 157.159.21.220 auth-port 1812 acct-port 1813 key 7
071C244F5D
radius-server vsa send authentication 3gpp2                                     
!                                                                               
control-plane                                                                   
!                                                                               
bridge 1 route ip                                                               
!                                                                               
!                                                                               
wlccp wds aaa authentication mac-authen filter-cache                            
wlccp wds aaa csid unformatted                                                  
!                     
wlccp wds aaa csid unformatted                                                  
!                                                                               
line con 0                                                                      
 transport preferred all                                                        
 transport output all                                                           
line vty 0 4                                                                    
 transport preferred all                                                        
 transport input all                                                            
 transport output all                                                           
line vty 5 15                                                                   
 transport preferred all                                                        
 transport input all                                                            
 transport output all                                                           
!                                                                               
end             

how can I do?





--
View this message in context: http://freeradius.1045715.n5.nabble.com/Cisco-AP-Radius-tp5713578.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.


More information about the Freeradius-Users mailing list