VLAN assignment to HP Switch with 802.1x client

Shaw, Colin M. c.m.shaw at abdn.ac.uk
Thu Aug 8 12:07:02 CEST 2013


I'm in the process of attempting to move our 802.1x services off of an aging freeRADIUS (v1) server onto a newly built server running freeRADIUS v2.2

Tests so far with wireless clients using 802.1x PEAP/MS-CHAPv2 are working ok. Clients can authenticate (against AD) and be assigned the different vlans that I want them to be assigned. So the authentication, AD interaction & vlan assignment are all working as should be there.

However, we also use wired 802.1x on some of our HP 5406 switches. This currently works fine with the existing old freeRADIUS server, so the actual switch configs (I've tested more than one) must be ok. But I cannot get the switches to use the assigned vlan that the clients (who again use PEAP/MS-CHAPv2) are given with the new freeRADIUS server. I've not changed the vlans that are to be used, the only change is the switch now points to the new RADIUS server.

Running radiusd -X shows that the correct attributes are still being supplied early on in the authenticate process:
"Sending Access-Challenge of id 123 to x.x.x.x port 1812
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "resnet"
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe74e7176e74c686cb9198540381901eb"

Note I've also tried the vlan id number as well as the name (although the name works fine in the old server, so should be fine here). Plus I've tried using Egress-VLANID or Egress-VLAN-Name, but it made no difference. Lastly, for testing purposes, if I insert the required attributes into the default post-auth then it all works and the wired client is assigned the correct vlan, so again the switch side must be ok and I also therefore presume all the dictionary entries are there as required. But I shouldn't need (or want) to do this.
i.e. in post-auth
        update reply {
                Tunnel-Type := "VLAN"
                Tunnel-Medium-Type := "IEEE-802"
               Tunnel-Private-Group-ID := "resnet"

It's as though the attributes are being removed or ignored somewhere in the PEAP/inner-tunnel process (but that's just a guess).
What am I just not getting here? I'm sure it must be something simple but I can't see it.

Hopefully this sort of thing has been done enough times that someone out there has fallen into whatever trap I currently find myself in and can point me in the right direction I need to be looking. But if not, I can of course supply the output of radiusd -X and the switch debug if it's going to help any.

Thanks in advance,

The University of Aberdeen is a charity registered in Scotland, No SC013683.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130808/e6b56a2e/attachment.html>

More information about the Freeradius-Users mailing list