Radius not giving VLAN after reconnect

Alan DeKok aland at deployingradius.com
Tue Sep 26 16:27:21 CEST 2017 

On Sep 26, 2017, at 10:01 AM, Matthew Pulis <mpulis at gmail.com> wrote:
> But isn't it strange that after disabling it, there is still the problem?

  Yes.  As always, read the debug output to see what it's doing.

> Is the server getting the info from the cache still?

  If you disable the cache, no.  You can always read the debug out to see if the cache is being used.

  You didn't post a successful authentication with VLAN assignment.  So it's impossible for us to see the difference between a working and non-working authentication.

  The debug output you posted *does* show this:

(97) Virtual server sending reply
(97) eap_ttls: Got tunneled Access-Accept
(97) eap: Sending EAP Success (code 3) ID 129 length 4

  i.e. the inner-tunnel server returns *nothing*.  No attributes, and no VLAN assignment.

  If you're trying to add VLAN attributes in the "default" virtual server, in post-auth, the debug output shows:

(97)     if (Ldap-Group == "cn=Teachers,ou=School,dc=seminary,dc=ad") {
(97)     Searching for user in group
"cn=Teachers,ou=School,dc=seminary,dc=ad"
rlm_ldap (ldap): Reserved connection (20)
(97)     EXPAND (cn=%{%{Stripped-User-Name}:-%{User-Name}})
(97)        --> (cn=anonymous)
(97)     Performing search in "ou=SeminaryOU,dc=seminary,dc=local" with
filter "(cn=anonymous)", scope "sub"
(97)     Waiting for search result...
(97)     Search returned no results

  Were you doing VLAN assignment in the post-auth section, via LDAP-Group checking?  If so "search returned no results" explains why it's not working.

  As always, *reading* the debug output helps enormously.

  And you haven't described what you're doing.  "VLAN assignment" is a very high level description.  What "unlang" statements are being used to do VLAN assignment?  When are they being run?

  The problems you're running into are very common.  The root cause is that you don't have clear requirements for what the server should do.  Or at least, you haven't explained them here.  On top of that, reading the debug output is instructive.  It tells you not only *when* your VLAN assignment is being run, but WHY it's being run or not being run.  Reading it will tell you 99% of what you need to know to solve the problem.

  So *describe what you want to do*.  Maybe then we can help you.

  Alan DeKok.

More information about the Freeradius-Users mailing list