Dynamic vlan assignment

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Jul 19 16:29:57 CEST 2013 

On 19 Jul 2013, at 15:10, Dario Palmisano <Dario.Palmisano at icgeb.org> wrote:

> On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
>> On 19 Jul 2013, at 14:37, Dario Palmisano <Dario.Palmisano at icgeb.org> wrote:
>>> Hello Everybody,
>>> 
>>> I am configuring my freeradius to be integrated in the EDUROAM
>>> federation. It works when the VLAN (as configured in the accesspoint) is
>>> statically assigned.
>>> 
>>> Now I would like to implement a "dynamic vlan assignment" on a per user
>>> basis; in this case the Macintosh I am using for test gets authenticated
>>> but is not able to get the ip address frm DHCP (it shows as
>>> 169.254.120.248), so remaing isolated.
>>> 
>>> I carefully followed instructions (regarding the accesspoint and
>>> freeradius) and searched the web for a possible reason, but
>>> unsuccessfully.
>>> 
>>> I am not sure the problem is not in the accesspoint configuration (a
>>> CISCO AP1131AG), anyway the accesspoint receives the indication to use
>>> the specified vlan.
>> 
>> You want to post the contents of an Access-Accept so we can check you're
>> sending the correct attributes
>> 
>> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
>> FreeRADIUS Development Team
>> 
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>> 
> 
> Here you can download the (almost complete) debug log. Near the end I added a 
> text to make evident when I disconnected.
> 
> http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en

For everyone following along at home:

Sending Access-Accept of id 189 to 172.16.254.45 port 1645
	Tunnel-Type:0 := VLAN
	Tunnel-Medium-Type:0 := IEEE-802
	Tunnel-Private-Group-Id:0 := "220"
	User-Name = "palmi"
	MS-MPPE-Recv-Key = 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff
	MS-MPPE-Send-Key = 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2
	EAP-Message = 0x030a0004
	Message-Authenticator = 0x00000000000000000000000000000000

Which looks ok to me. I'm guessing VLAN 220 is actually configured on the NAS? Some also require you to send back 'Service-Type = Framed-User'.

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list