VLAN assignment to HP Switch with 802.1x client

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 8 12:27:54 CEST 2013

On 08/08/13 11:07, Shaw, Colin M. wrote:

> difference. Lastly, for testing purposes, if I insert the required
> attributes into the default post-auth then it all works and the wired
> client is assigned the correct vlan, so again the switch side must be ok
> and I also therefore presume all the dictionary entries are there as
> required. But I shouldn’t need (or want) to do this.

Yes you should. You should always aim to set these attributes in 
post-auth; otherwise you'll see what you are seeing, the attributes 
getting set in access-challenge. This is a function of how EAP is 
processed by the server.

> It’s as though the attributes are being removed or ignored somewhere in
> the PEAP/inner-tunnel process (but that’s just a guess).
> What am I just not getting here? I’m sure it must be something simple
> but I can’t see it.

Without a full debug, it's not obvious what you need to change, because 
it's not obvious what you are doing. But it *might* be that you've 
missed "use_tunneled_reply" in the "peap {}" section.

> Hopefully this sort of thing has been done enough times that someone out
> there has fallen into whatever trap I currently find myself in and can
> point me in the right direction I need to be looking. But if not, I can
> of course supply the output of radiusd –X and the switch debug if it’s
> going to help any.

Yes, it will.

More information about the Freeradius-Users mailing list