VLAN assignment to HP Switch with 802.1x client
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 8 12:27:54 CEST 2013
On 08/08/13 11:07, Shaw, Colin M. wrote:
> difference. Lastly, for testing purposes, if I insert the required
> attributes into the default post-auth then it all works and the wired
> client is assigned the correct vlan, so again the switch side must be ok
> and I also therefore presume all the dictionary entries are there as
> required. But I shouldn’t need (or want) to do this.
Yes you should. You should always aim to set these attributes in
post-auth; otherwise you'll see what you are seeing, the attributes
getting set in access-challenge. This is a function of how EAP is
processed by the server.
> It’s as though the attributes are being removed or ignored somewhere in
> the PEAP/inner-tunnel process (but that’s just a guess).
>
> What am I just not getting here? I’m sure it must be something simple
> but I can’t see it.
Without a full debug, it's not obvious what you need to change, because
it's not obvious what you are doing. But it *might* be that you've
missed "use_tunneled_reply" in the "peap {}" section.
>
> Hopefully this sort of thing has been done enough times that someone out
> there has fallen into whatever trap I currently find myself in and can
> point me in the right direction I need to be looking. But if not, I can
> of course supply the output of radiusd –X and the switch debug if it’s
> going to help any.
Yes, it will.
More information about the Freeradius-Users
mailing list