Dynamic vlan assignment

Dario Palmisano Dario.Palmisano at icgeb.org
Fri Jul 19 17:10:53 CEST 2013


On Friday 19 July 2013 16:29:57 Arran Cudbard-Bell wrote:
> On 19 Jul 2013, at 15:10, Dario Palmisano <Dario.Palmisano at icgeb.org> wrote:
> > On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
> >> On 19 Jul 2013, at 14:37, Dario Palmisano <Dario.Palmisano at icgeb.org> 
wrote:
> >>> Hello Everybody,
> >>>
> >>> I am configuring my freeradius to be integrated in the EDUROAM
> >>> federation. It works when the VLAN (as configured in the accesspoint)
> >>> is statically assigned.
> >>>
> >>> Now I would like to implement a "dynamic vlan assignment" on a per user
> >>> basis; in this case the Macintosh I am using for test gets
> >>> authenticated but is not able to get the ip address frm DHCP (it shows
> >>> as
> >>> 169.254.120.248), so remaing isolated.
> >>>
> >>> I carefully followed instructions (regarding the accesspoint and
> >>> freeradius) and searched the web for a possible reason, but
> >>> unsuccessfully.
> >>>
> >>> I am not sure the problem is not in the accesspoint configuration (a
> >>> CISCO AP1131AG), anyway the accesspoint receives the indication to use
> >>> the specified vlan.
> >>
> >> You want to post the contents of an Access-Accept so we can check you're
> >> sending the correct attributes
> >>
> >> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> >> FreeRADIUS Development Team
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> > Here you can download the (almost complete) debug log. Near the end I
> > added a text to make evident when I disconnected.
> >
> > http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p
> >hp?lang=en
> 
> For everyone following along at home:
> 
> Sending Access-Accept of id 189 to 172.16.254.45 port 1645
> 	Tunnel-Type:0 := VLAN
> 	Tunnel-Medium-Type:0 := IEEE-802
> 	Tunnel-Private-Group-Id:0 := "220"
> 	User-Name = "palmi"
> 	MS-MPPE-Recv-Key =
>  0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff
>  MS-MPPE-Send-Key =
>  0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2
>  EAP-Message = 0x030a0004
> 	Message-Authenticator = 0x00000000000000000000000000000000
> 
> Which looks ok to me. I'm guessing VLAN 220 is actually configured on the
>  NAS? Some also require you to send back 'Service-Type = Framed-User'.
Yes vlan 220 is assigned (statically) to "XXX-WPA" SSID.

If file users contains:

palmi		Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
	Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
Group-ID := 218

and I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it does 
not work. If I connect to SSID XXX-ER (assigned in accesspoint to vlan 218) it 
works.

If file users contains:

palmi		Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
	Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
Group-ID := 220

if I connect to SSID XXX-ER (assigned in accesspoint to vlan 218), it does not 
work, if I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it 
works.

Modifying users file as suggested:

palmi		Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
	Service-Type := Framed-User, Tunnel-Type := VLAN, Tunnel-Medium-Type 
:= IEEE-802, Tunnel-Private-Group-ID := 220

did not change the result.




> 
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
> 
> -
> List info/subscribe/unsubscribe? See
>  http://www.freeradius.org/list/users.html
> 



More information about the Freeradius-Users mailing list