FR3.0.11 with ldap + 802.1x + dynamic Vlan assignment.

Vlad Kratsberg vkratsberg at gmail.com
Wed Mar 9 21:38:50 CET 2016 

Correction regarding version 3.0.4:

The correct output is in peap section,  it keeps insisting on mschap after
performing the following change:

b.  PEAP section:  changed default_eap_type to gtc

Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_peap
   peap {
    tls = "tls-common"
    default_method = "mschapv2"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
    require_client_cert = no

On Wed, Mar 9, 2016 at 3:14 PM, Vlad Kratsberg <vkratsberg at gmail.com> wrote:

> Hi Freeradius Users,
>
> We are using FR3.0.11 and are trying to set up 802.1x authentication. We
> are using eap-gtc inside peap.
>
> Here is what was configured:
>
> 1.  mods-available/ldap + symlink to mods-enabled/ldap
>
> 2.  mods-enabled/eap
> a.  EAP section:  changed default_eap_type to peap
> b.  PEAP section:  changed default_eap_type to gtc
>
> 3.  mods-config/files/authorize
>
> Added the following:
>
> DEFAULT Ldap-Group == "juniper-admins"
>         Service-Type = "Login-User",
>         Idle-Timeout = 600,
>         Juniper-Local-User-Name = "admin",
>         Tunnel-Type = VLAN,
>         Tunnel-Medium-Type = IEEE-802,
>         Tunnel-Private-Group-ID = 505,
>         Filter-Id = "USERS-FILTER"
>
> Here is the full debug:
>
> http://pastebin.com/Lugmz3yc
>
> The result:
>
> Ldap works, user gets authenticated, and Access-Accept message is received
> however Vlan attributes and Filter-id are not present in Access-Accept.
>
> Freeradius-2.1.12 version returns attributes just fine.
>
> P.S:  The reason why i m not using available RPM  FR_3.0.4 is because when
> I perform change number 2.a. (eap section) as described above, freeradius
> doesn't recognize it and displays default config:
>
> ================================================
>
>   # Loading module "eap" from file /etc/raddb/mods-enabled/eap
>   eap {
>   default_eap_type = "mschapv2"
>   timer_expire = 60
>   ignore_unknown_eap_types = no
>   cisco_accounting_username_bug = no
>   max_sessions = 16384
>
> =================================================
>
> I would appreciate any help or point in the right direction.
>
> Thanks
> Vlad
>
>

More information about the Freeradius-Users mailing list