<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:garamond,new york,times,serif;font-size:10pt">Thank you Joe for your answer!<br><br>We all agree that assocation is made before authentication process, in order to RADIUS to be able to do its stuffs. but the fact is that it doesn't work, and i was wondering what would be the result if i set:<br>"Tunnel-Private-Group-ID = 100" (when the SSID were i am connected is assiged to VLAN 200, according to how my device work) .<br><br><br>I started to ask silly questions because it's true i don't understand nothing anymore with my config!<br>
Basically, i have to use freeradius for authenticate wireless users, all connected on Access points managed by that switch!<br>
i learnt freeradius stuffs and with the help of the guys here, i am now
able to setup it correctly!!! Access point authentication works well,
but end-users authentication doing some EAP fails but stay without no
response after the access-challenge!! (saying no correct login/password
find, or requiring client certificate, depending if i am doing tls or
peap). <br>
please note that it deons'nt tell me that my certificates are
incorrect, it is the reason why i started to think that the AP's don't
relay correctly the EAP negociation! (On XP client client are blocked
on "identity validation" then give up the authentication). As i am
newbie with 802.1x stuffs, i asked "silly" question to fix out my
doubts. it is not easy for me to do it in english!<br>
<br>
<br>
<br>- About the limitations of the device, i posted on d-link support a week ago and i am still waiting for the answer.<br><br>- about RADIUS assigning SSID... it was a silly question of me and the goal was just to be sure that RADIUS authentication events stay on the same SSID. just for confirmation, and now I KNOW.<br><br>- the reason of this confusion for me is what the documentation of dws-3024 says on page 205 and 206 as follow (some parts):<br><br>##############################################################<br>##############################################################<br><span style="font-weight: bold; text-decoration: underline;">NOTE:</span><br>You can configure D-Link Access Points to use 802.1X authentication on the RADIUS server<br>to allow or deny specific users on client stations access to the wireless network. If you enable<br>802.1X authentication, the client entry on a RADIUS server can support user-based VLANs<br>and subnet
assignments for IP tunneling. Table 80 shows the attributes to set for wireless<br>clients within the RADIUS server.<br><br>Table 80. RADIUS Attributes for Wireless Clients<br> RADIUS Server Description Range Usage<br> Attribute<br><span style="font-style: italic;"> User-Name
(1) 1-32 characters Required</span><br style="font-style: italic;"><span style="font-style: italic;"> User-Password (2)
1-128 characters Required</span><br style="font-style: italic;"><span style="font-style: italic;"> Tunnel-Medium-Type (65) 802 Optional</span><br>##############################################################<br><br>The following example shows the entry for a user in the users file. The username is<br>“johndoe,” the password is “test1234.” The user is assigned to
VLAN 77.<br><br><span style="font-style: italic;">johndoe Auth-Type: = EAP, User-Password == “test1234"</span><br style="font-style: italic;"><span style="font-style: italic;"> Tunnel-Type = 13,</span><br style="font-style: italic;"><span style="font-style: italic;"> Tunnel-Medium-Type = 6,</span><br style="font-style: italic;"><span style="font-style: italic;"> Tunnel-Private-Group-ID = 77</span><br style="font-style: italic;"><br>Tunnel-Type and Tunnel-Medium-Type use the same values for all stations. Tunnel-Private-<br>Group-ID is the selected VLAN ID and can be different for each user.<br>NOTE: Do not use the management VLAN ID of the AP for the value of the Tunnel-<br> Private-Group-ID.<br>##############################################################<br>
##############################################################<br>
<br><br>the documentation also says on page 201: (and i dont understand this step, even using a translator. explanation would be appreciated)<br>##############################################################<br><span style="text-decoration: underline; font-weight: bold;">NOTE:</span> <br>This appendix does not describe RADIUS configuration for AP network<br>authentication using 802.1X. This feature is separate from a valid AP<br>configuration entry. The edge device that connects to the AP performs the<br>network authentication. The edge device might not be the D-Link Unified<br>Switch.<br>##############################################################<br><div style="font-family: garamond,new york,times,serif; font-size: 10pt;"><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br>Any people interested in help could just read page 200 - 209 of this documents and give advices.<br>here is the link: <a
href="ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf" target="_blank">ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf</a><br><br><br>thanks a lot!<br>Joel<br><br>--------------------------------------------------------------------------------------------------------------------<br>HI Joel,<br><br> I think the issue here is that the D-Link AP's you have are rather <br>limited.<br><br>Radius can not ever assign an SSID because that step occurs before the <br>user authenticated. Wireless starts with an association from the user <br>to the AP's SSID from there the AP decides what needs to happen. <br><br>Radius can affect VLAN's (generally at least in the Cisco world with <br>'Tunnel-Private-Group-ID', like you meantioned) but you'll never be able <br>to force a user to switch SSID's because that is client controlled.<br><br>AP's map VLAN's to SSID's internally some allow n to
1 and 1 to n <br>relationships, others like your d-links only allow a direct mapping. <br><br>Basically it sounds like you are limited by the constraints of you NAS.<br><br>Joe Vieira<br>UNIX Systems Administrator<br>Clark University<br><br>Joel MBA OYONE wrote:<br>> Alan,<br>><br>> I possess a device from D-Link (DWS-3024). it is a wireless switch <br>> controler, and the documentation says that:<br>> - One SSID has to be affect to one VLAN on the profile.<br>> - An Access point could be configured with up to 8 ifferent SSIDs and <br>> it is possible to affect each SSID on its own network (below is a link <br>> which show you the config page) or all SSID on the same network. <br>> maybe i didn't read it correctly, so here is the link (see page 89-90 <br>> and maybe 91 too.): <br>> <a href="ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf"
target="_blank">ftp://ftp.dlink.fr/DWS/DWS-3024/Manuel/DWS-3000_Series_User_Manual_v2.00.pdf</a><br>><br>> i asked you stuffs about SSIDs/VLAN cause all my APs (about 30) will <br>> receive the same profile, and the profile will have 3 differents SSIDS <br>> with diffrents security access levels and network from the wireless <br>> switch.<br>><br>> for example, in the same room, associated to the same AP, students and <br>> teachers will connect to diffrent SSIDs coming from that same AP, and <br>> some will have to athenticate via EAP-PEAP, other will require EAP-TLS.<br>><br>> this other short file explain point to point what is my config and <br>> waht i am trying to do:<br>> <a href="ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf" target="_blank">ftp://ftp.dlink.fr/DWS/DWS-3024/QIG/QIG_DWS-3024_WPA2.pdf</a><br>> read it and maybe you could understand me.<br>><br>><br>>
regards<br>><br>> Joel MBA OYONE wrote:<br>> >> No. VLAN assignment is after SSID association, and after 802.1x<br>> >> authentication.<br>> ><br>> > OK, is it possible to associate in SSID_1 and be assigned to a different<br>> > VLAN than the we are associated in ?<br>><br>> That doesn't make sense. SSID's aren't tied to VLANs, unless you<br>> configure them that way.<br>><br>> > (exemple, when i am associated to<br>> > SSID_1, which belongs to VLAN100,<br>><br>> No... SSID's have nothing to do with VLAN's.<br>><br>> > RADIUS sends me<br>> > "Tunnel-Private-Group-ID = 200", which belongs to another SSID, what<br>> > would happen and would authentication process success?)<br>><br>> Read your NAS documentation to see how to do VLAN assignment, and how<br>> it interacts with SSID's.<br>><br>> > - if i am
assigned to another couple of SSID/VLAN than the one i am<br>> > connected now by RADIUS, would authentication process restart at the<br>> > beginning?<br>><br>> Stop talking about "SSID/VLAN". They are separate things.<br>><br>> When you do VLAN assignment with RADIUS, you do NOT need to<br>> re-authenticate.<br>><br>> > - is it possible to do EAP-TLS, EAP-PEAP and EAP-MD5 without the use of<br>> > 802.1x when RADIUS is the authentication Server for a supplicant?<br>><br>> What does that mean?<br>><br>> Alan DeKok.<br>> -<br>> List info/subscribe/unsubscribe? See <br>> <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>><br>> __________________________________________________<br>> Do You Yahoo!?<br>> En finir avec le spam? Yahoo! Mail vous offre la meilleure protection <br>>
possible contre les messages non sollicités<br>> <a href="http://mail.yahoo.fr" target="_blank">http://mail.yahoo.fr</a> Yahoo! Mail <br>-<br>List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a></div></div></div><br>__________________________________________________<br>Do You Yahoo!?<br>En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités <br>http://mail.yahoo.fr Yahoo! Mail </body></html>