Dynamic vlan assignment
Dario Palmisano
Dario.Palmisano at icgeb.org
Fri Jul 19 17:10:53 CEST 2013
On Friday 19 July 2013 16:29:57 Arran Cudbard-Bell wrote:
> On 19 Jul 2013, at 15:10, Dario Palmisano <Dario.Palmisano at icgeb.org> wrote:
> > On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote:
> >> On 19 Jul 2013, at 14:37, Dario Palmisano <Dario.Palmisano at icgeb.org>
wrote:
> >>> Hello Everybody,
> >>>
> >>> I am configuring my freeradius to be integrated in the EDUROAM
> >>> federation. It works when the VLAN (as configured in the accesspoint)
> >>> is statically assigned.
> >>>
> >>> Now I would like to implement a "dynamic vlan assignment" on a per user
> >>> basis; in this case the Macintosh I am using for test gets
> >>> authenticated but is not able to get the ip address frm DHCP (it shows
> >>> as
> >>> 169.254.120.248), so remaing isolated.
> >>>
> >>> I carefully followed instructions (regarding the accesspoint and
> >>> freeradius) and searched the web for a possible reason, but
> >>> unsuccessfully.
> >>>
> >>> I am not sure the problem is not in the accesspoint configuration (a
> >>> CISCO AP1131AG), anyway the accesspoint receives the indication to use
> >>> the specified vlan.
> >>
> >> You want to post the contents of an Access-Accept so we can check you're
> >> sending the correct attributes
> >>
> >> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> >> FreeRADIUS Development Team
> >>
> >> -
> >> List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >
> > Here you can download the (almost complete) debug log. Near the end I
> > added a text to make evident when I disconnected.
> >
> > http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p
> >hp?lang=en
>
> For everyone following along at home:
>
> Sending Access-Accept of id 189 to 172.16.254.45 port 1645
> Tunnel-Type:0 := VLAN
> Tunnel-Medium-Type:0 := IEEE-802
> Tunnel-Private-Group-Id:0 := "220"
> User-Name = "palmi"
> MS-MPPE-Recv-Key =
> 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff
> MS-MPPE-Send-Key =
> 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2
> EAP-Message = 0x030a0004
> Message-Authenticator = 0x00000000000000000000000000000000
>
> Which looks ok to me. I'm guessing VLAN 220 is actually configured on the
> NAS? Some also require you to send back 'Service-Type = Framed-User'.
Yes vlan 220 is assigned (statically) to "XXX-WPA" SSID.
If file users contains:
palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
Group-ID := 218
and I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it does
not work. If I connect to SSID XXX-ER (assigned in accesspoint to vlan 218) it
works.
If file users contains:
palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
Group-ID := 220
if I connect to SSID XXX-ER (assigned in accesspoint to vlan 218), it does not
work, if I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it
works.
Modifying users file as suggested:
palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB-
Eduroam-Enabled := Yes
Service-Type := Framed-User, Tunnel-Type := VLAN, Tunnel-Medium-Type
:= IEEE-802, Tunnel-Private-Group-ID := 220
did not change the result.
>
> Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list