passing Tunnel-Private-Group-ID

Daniel Lietz dlietz at inghamisd.org
Mon May 14 21:34:52 CEST 2018 

I have an existing freeradius version 1 server running on SLES 11sp1/OES11 that I've been using to authenticate eDirectory users to an Aruba SSID for the last 3 years. I have it configured so that the tunnel-private-group-id for the user gets passed from the freeradius server to the Aruba Instant controller and the controller uses that info to determine what vlan to place the user's connection on.

Now, I'm trying to build a refresh version on SLES 12sp1 running freeradius 3. I have authentication working, but when I authenticate against the new server server, the vlan tag is either not getting sent back to the wireless controller or it's not getting read by the controller correctly. There are enough differences between version 1 and 3 that I'm not sure I haven't missed configuring something in the config files, but I'm not sure what or where.

The biggest differences I can see in the logs are below.

Working:
Sending Access-Challenge of id 150 to 10.54.132.1 port 55863
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "522"
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x61f33bde61f12206396dd89bd040fb65
. . . . .
. . . . .
Sending Access-Accept of id 160 to 10.54.132.1 port 55863
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "522"
        User-Name = "jdoe"
        MS-MPPE-Recv-Key = 0x9fc20013bcd79d85426c59d217074da2a62fa085b2b273946ff0b56f0d68eeb4
        MS-MPPE-Send-Key = 0x1023bd245612de58472963f64c82929f510dfb8038690c505d00c7307fe11003
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000

Failing server does not seem to be sending the needed info to the controller...
Sending Access-Challenge Id 183 from 10.48.2.43:1812 to 10.54.132.1:58610
        EAP-Message = 0x010b002b190017030100206606c1b37f84e37ae51866ee89c54dd83403ab1033615612a1b8327ce6095a39
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xbe086328b7037aa60922ff842520e94a
. . . . . .
. . . . . .
Sending Access-Accept Id 184 from 10.48.2.43:1812 to 10.54.132.1:58610
        User-Name = 'jdoe'
        MS-MPPE-Recv-Key = 0x6813759122dfe3edc7e5e15717d70e89867ff9d9852990f498c612b39c835e83
        MS-MPPE-Send-Key = 0xf8a9ba48f812c013d0eee3b66272532ce30ffaecb8905597a8526f6a0f606495
        EAP-Message = 0x030b0004
        Message-Authenticator = 0x00000000000000000000000000000000

I'm just not sure what's missing though. Any assistance is appreciated and let me know if there's more info needed.

Thanks.

More information about the Freeradius-Users mailing list