Cisco WLC - Freeradius Vlan assigment problem

Martin Silvero silvero.martin at gmail.com
Wed Jun 13 23:02:11 CEST 2012 

Hi Matthew,

I checked that out and it's configured as you suggested. The AAA Override
option is enabled.

The vlan attributes are these:

Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = VLAN_ID

It works fine when we use the AP against the radius server, but when we use
the WLC against the Radius server the process is not getting to the
attributes assignment part, because (I guess) it's not getting something in
the Huntgroup variable.

This is the difference. The one that works:

server inner-tunnel { +- entering group authorize {...} ++[preprocess]
returns ok ++? if (!Huntgroup-Name) ? Evaluating !(Huntgroup-Name) -> FALSE
++? if (!Huntgroup-Name) -> FALSE ++? if (Huntgroup-Name == "list") ?
Evaluating (Huntgroup-Name == "list") -> TRUE ++? if (Huntgroup-Name ==
"list") -> TRUE ++- entering if (Huntgroup-Name == "list") {...} +++? if
(Ldap-Group == "WIFI-Direccion")

"WIFI-Direccion" is the first LDAP group to check if the user is in.

The one that does not work:

server inner-tunnel { +- entering group authorize {...} ++[preprocess]
returns ok ++? if (!Huntgroup-Name) ? Evaluating !(Huntgroup-Name) -> TRUE
++? if (!Huntgroup-Name) -> TRUE ++- entering if (!Huntgroup-Name) {...}
+++[reply] returns ok ++- if (!Huntgroup-Name) returns ok ++? if
(Huntgroup-Name == "list") (Attribute Huntgroup-Name was not found)

Apart from this, I see differencies in other parts of the radius debug like
this:

The one that works:

rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=199,
length=136 User-Name = "fcanales" Framed-MTU = 1400 Called-Station-Id =
"001d.4551.7da0" Calling-Station-Id = "5894.6b0d.e86c" Service-Type =
Login-User Message-Authenticator = 0x645687565f9d60e3b76f5ffac29b74a1
EAP-Message = 0x0202000d016663616e616c6573 NAS-Port-Type = Wireless-802.11
NAS-Port = 59460 NAS-IP-Address = 10.32.2.39 NAS-Identifier = "ap-Reco32"

The one that does not work:

rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=113,
length=232 User-Name = "fcanales" Calling-Station-Id = "58-94-6b-0d-e8-6c"
Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista" NAS-Port = 1
Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051" NAS-IP-Address =
10.32.2.81 NAS-Identifier = "Iplan_wcs" Airespace-Wlan-Id = 1 Service-Type
= Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "60" EAP-Message = 0x0202000d016663616e616c6573
Message-Authenticator = 0x77344c030301e2389311b1dde163a5b7

The differencies in "Calling-Station-Id", "Called-Station-Id" and "
Service-Type", for example.

Is it posible that WCL is sending the information in a way that Radius
cannot process?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120613/fba92692/attachment.html>

More information about the Freeradius-Users mailing list