Re: vlan and freeradius
hello, still with the same issue about vlan assignment. so to sum up In my users file: doctorCleartext-Password := mypass cisco-avpair= tunnel-type(#64)=VLAN(13), cisco-avpair= tunnel-medium-type(#65) = 802 media(6), cisco-avpair= tunnel-private-group-ID(#81) = 100, Session-Timeout = 28800, Termination-Action = RADIUS-Request ### in my switch aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control ! interface FastEthernet0/24= for successful authentication ( client is wired there) switchport access vlan 100 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x auth-fail vlan 120 spanning-tree portfast interface FastEthernet0/22 switchport access vlan 120 switchport mode access spanning-tree portfast ! interface FastEthernet0/23 switchport access vlan 120 switchport mode access spanning-tree portfast radius-server host x.x.x.x auth-port 1812 acct-port 1813 key miamiam radius-server source-ports 1645-1646 radius-server retransmit 5 radius-server vsa send authentication --- so the authentication for doctor is good in vlan 100, but if i change to cisco-avpair= tunnel-private-group-ID(#81) = 120, i'm stuck to vlan 100. Any noe can help me? thanks 2010/3/4 Alan DeKok al...@deployingradius.com Jens Link wrote: @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) It seems to be fine now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
means vlan is not communicated between the freeradius and switch, but we don't know why 2010/3/4 omega bk omeg...@gmail.com hello, still with the same issue about vlan assignment. so to sum up In my users file: doctorCleartext-Password := mypass cisco-avpair= tunnel-type(#64)=VLAN(13), cisco-avpair= tunnel-medium-type(#65) = 802 media(6), cisco-avpair= tunnel-private-group-ID(#81) = 100, Session-Timeout = 28800, Termination-Action = RADIUS-Request ### in my switch aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control ! interface FastEthernet0/24= for successful authentication ( client is wired there) switchport access vlan 100 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x auth-fail vlan 120 spanning-tree portfast interface FastEthernet0/22 switchport access vlan 120 switchport mode access spanning-tree portfast ! interface FastEthernet0/23 switchport access vlan 120 switchport mode access spanning-tree portfast radius-server host x.x.x.x auth-port 1812 acct-port 1813 key miamiam radius-server source-ports 1645-1646 radius-server retransmit 5 radius-server vsa send authentication --- so the authentication for doctor is good in vlan 100, but if i change to cisco-avpair= tunnel-private-group-ID(#81) = 120, i'm stuck to vlan 100. Any noe can help me? thanks 2010/3/4 Alan DeKok al...@deployingradius.com Jens Link wrote: @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) It seems to be fine now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
yet } # server inner-tunnel [peap] Got tunneled reply code 2 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 120 EAP-Message = 0x030b0004 Message-Authenticator = 0x User-Name = linatest [peap] Got tunneled reply RADIUS code 2 Service-Type = Framed-User Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = 802 Tunnel-Private-Group-Id:0 = 120 EAP-Message = 0x030b0004 Message-Authenticator = 0x User-Name = linatest [peap] Tunneled authentication was successful. [peap] SUCCESS [peap] Saving tunneled attributes for later means freeradius sent correctly VLAN attributes, but switch doesn't received them. Any one can help me? 2010/3/4 omega bk omeg...@gmail.com means vlan is not communicated between the freeradius and switch, but we don't know why 2010/3/4 omega bk omeg...@gmail.com hello, still with the same issue about vlan assignment. so to sum up In my users file: doctorCleartext-Password := mypass cisco-avpair= tunnel-type(#64)=VLAN(13), cisco-avpair= tunnel-medium-type(#65) = 802 media(6), cisco-avpair= tunnel-private-group-ID(#81) = 100, Session-Timeout = 28800, Termination-Action = RADIUS-Request ### in my switch aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius dot1x system-auth-control ! interface FastEthernet0/24= for successful authentication ( client is wired there) switchport access vlan 100 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x auth-fail vlan 120 spanning-tree portfast interface FastEthernet0/22 switchport access vlan 120 switchport mode access spanning-tree portfast ! interface FastEthernet0/23 switchport access vlan 120 switchport mode access spanning-tree portfast radius-server host x.x.x.x auth-port 1812 acct-port 1813 key miamiam radius-server source-ports 1645-1646 radius-server retransmit 5 radius-server vsa send authentication --- so the authentication for doctor is good in vlan 100, but if i change to cisco-avpair= tunnel-private-group-ID(#81) = 120, i'm stuck to vlan 100. Any noe can help me? thanks 2010/3/4 Alan DeKok al...@deployingradius.com Jens Link wrote: @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) It seems to be fine now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
this is my show logging on my switch, means that the switch doesn't receive a radius vlan attribute: Log Buffer (4096 bytes): Recv-Key [17] 52 * 02:13:40: RADIUS: Vendor, Microsoft [26] 58 02:13:40: RADIUS: MS-MPPE-Send-Key [16] 52 * 02:13:40: RADIUS: EAP-Message [79] 6 02:13:40: RADIUS: 03 0C 00 04 [] 02:13:40: RADIUS: Message-Authenticato[80] 18 02:13:40: RADIUS: 6F AB 6F DA 9C 56 BE E8 E1 F8 0E 78 A9 0A 59 C3 [o?o??V?x??Y?] 02:13:40: RADIUS(0006): Received from id 1645/108 02:13:40: RADIUS/DECODE: EAP-Message fragments, 4, total 4 bytes 02:13:40: dot1x-packet:Received an EAP Success on the FastEthernet0/24 for mac 0018.8bb5.26b7 02:13:40: dot1x-sm:Posting EAP_SUCCESS on Client=37503F0 02:13:40: dot1x_auth_bend Fa0: during state auth_bend_response, got event 11(eapSuccess) 02:13:40: @@@ dot1x_auth_bend Fa0: auth_bend_response - auth_bend_success 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_bend_response_exit called 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_bend_success_enter called 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_bend_response_success_action called 02:13:40: dot1x_auth_bend Fa0: idle during state auth_bend_success 02:13:40: @@@ dot1x_auth_bend Fa0: auth_bend_success - auth_bend_idle 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_bend_idle_enter called 02:13:40: dot1x-sm:Posting AUTH_SUCCESS on Client=37503F0 02:13:40: dot1x_auth Fa0: during state auth_authenticating, got event 12(authSuccess_portValid) 02:13:40: @@@ dot1x_auth Fa0: auth_authenticating - auth_authc_result 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_authenticating_exit called 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_authc_result_enter called 02:13:40: dot1x-ev:dot1x_vlan_assign_authc_success called on interface FastEthernet0/24 02:13:40: dot1x-ev:Successfully assigned VLAN 0 to interface FastEthernet0/24 02:13:40: dot1x-sm:Posting AUTHC_SUCCESS on Client=37503F0 02:13:40: dot1x_auth Fa0: during state auth_authc_result, got event 22(authcSuccess) 02:13:40: @@@ dot1x_auth Fa0: auth_authc_result - auth_authz_success 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_authz_success_enter called 02:13:40: dot1x-ev:dot1x_switch_addr_add: Added MAC 0018.8bb5.26b7 to vlan 100 on interface FastEthernet0/24 02:13:40: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/24 02:13:40: dot1x-registry:** dot1x_switch_vp_statechange: 02:13:40: dot1x-ev:vlan 100 vp is added on the interface FastEthernet0/24 02:13:40: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/24 02:13:40: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface FastEthernet0/24 02:13:40: dot1x-ev:Received successful Authz complete for 0018.8bb5.26b7 02:13:40: dot1x-sm:Posting AUTHZ_SUCCESS on Client=37503F0 02:13:40: dot1x_auth Fa0: during state auth_authz_success, got event 25(authzSuccess) 02:13:40: @@@ dot1x_auth Fa0: auth_authz_success - auth_authenticated 02:13:40: dot1x-sm:Fa0/24:0018.8bb5.26b7:auth_authenticated_enter called 02:13:40: dot1x-packet:dot1x_mgr_send_eapol :EAP code: 0x3 id: 0xC length: 0x0004 type: 0x0 data: 02:13:40: dot1x-ev:FastEthernet0/24:Sending EAPOL packet to group PAE address 02:13:40: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/24. 02:13:40: dot1x-registry:registry:dot1x_ether_macaddr called 02:13:40: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/24 02:13:40: EAPOL pak dump Tx 02:13:40: EAPOL Version: 0x2 type: 0x0 length: 0x0004 02:13:40: EAP code: 0x3 id: 0xC length: 0x0004 02:13:40: dot1x-packet:dot1x_txReq: EAPOL packet sent to client (0018.8bb5.26b7) thanks for your help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
ok, it works now. it was Tunnel-Medium-type = IEEE-802 instead of 802 only. Now i can assign the sucessfull authenticated VLAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
omega bk omeg...@gmail.com writes: Hi, so i would like to redirect my winxp authenticated to VLAN1 and if not authenticated , this client must be in vlan2 i got a switch cisco so how to handla this with freeradius? Depends on how you do the authentication: Using certificates (either machine based or user based) 802.1x is the way to go if it's okay for you to use only the MAC address of the client (and you are using Cisco) VMPS might be worth a look. @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://www.quux.de | http://blog.quux.de | jabber: jensl...@guug.de | - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Am Mittwoch, 3. März 2010 15:34:56 schrieb Jens Link: omega bk omeg...@gmail.com writes: Hi, so i would like to redirect my winxp authenticated to VLAN1 and if not authenticated , this client must be in vlan2 i got a switch cisco so how to handla this with freeradius? Depends on how you do the authentication: Using certificates (either machine based or user based) 802.1x is the way to go if it's okay for you to use only the MAC address of the client (and you are using Cisco) VMPS might be worth a look. @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) Jens Port authentication also works with mac addresses. You just have to pass back on the correct attributes to the cisco. AND your IOS has to be able to interprete them. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
in fact, i got my client wired with winxp and authentication works well in 802.1x this client is connected directly in my switch trough vlan3 i would like dynamically assign a successfull authentication trough vlan2 and faillure authentication to vlan1 autthentication is based in users file (not mac auth) thanks u 2010/3/3 Michael Schwartzkopff mi...@multinet.de Am Mittwoch, 3. März 2010 15:34:56 schrieb Jens Link: omega bk omeg...@gmail.com writes: Hi, so i would like to redirect my winxp authenticated to VLAN1 and if not authenticated , this client must be in vlan2 i got a switch cisco so how to handla this with freeradius? Depends on how you do the authentication: Using certificates (either machine based or user based) 802.1x is the way to go if it's okay for you to use only the MAC address of the client (and you are using Cisco) VMPS might be worth a look. @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) Jens Port authentication also works with mac addresses. You just have to pass back on the correct attributes to the cisco. AND your IOS has to be able to interprete them. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Hi, Hello, so i would like to redirect my winxp authenticated to VLAN1 and if not authenticated , this client must be in vlan2 i got a switch cisco so how to handla this with freeradius? read the cisco docs on dealing with 802.1X. you should never use VLAN1 for users - most would say you shouldnt use VLAN1 for anything on cisco kit - its the default native vlan. what you need to do is set the port on the switch to do 802.1X...then you can either do the following 1) set the access vlan to X, then se the fail VLAN to Y and the guest VLAN to Y or (my preferred way) 2) set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y where X is the access vlan for auth and Y is the chosen fail vlan why do method 2? well, its then easy/quick to change the VLAN returned to the switch no matter where on campus/site/infrastructure - its all done via decisions made on the radius server. the return attributeS? 'Tunnel-Medium-Type'} = IEEE-802 'Tunnel-Type' = VLAN 'Tunnel-Private-Group-Id' = 666 'Session-Timeout' = 28800 'Termination-Action' = RADIUS-Request that would set the VLAN to be 666 with an 8 hour timeout. these can be set via users file, SQL, perl, python etc. we use a PERL script in the post-auth section alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Am Mittwoch, 3. März 2010 15:45:56 schrieb omega bk: in fact, i got my client wired with winxp and authentication works well in 802.1x this client is connected directly in my switch trough vlan3 i would like dynamically assign a successfull authentication trough vlan2 and faillure authentication to vlan1 autthentication is based in users file (not mac auth) thanks u (...) Perhaps Cisco IOS can do this. Check it. If not, make a default login that always authenticates but also sends the vlan1 attributes. Be aware that this might be a security risk! Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
2) set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y = that's really what i want to do so in my users file myuser Cleartext-Password := user Tunnel-type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 666 Session-Timeout = 28800 Termination-Action = RADIUS-Request but how to set the fail VLAN and guest VLAN to Y ??? many thanks PS: you should never use VLAN1 for users - most would say you shouldnt use VLAN1 for anything on cisco kit - its the default native vlan. = sure!!! 2010/3/3 Alan Buxey a.l.m.bu...@lboro.ac.uk Hi, Hello, so i would like to redirect my winxp authenticated to VLAN1 and if not authenticated , this client must be in vlan2 i got a switch cisco so how to handla this with freeradius? read the cisco docs on dealing with 802.1X. you should never use VLAN1 for users - most would say you shouldnt use VLAN1 for anything on cisco kit - its the default native vlan. what you need to do is set the port on the switch to do 802.1X...then you can either do the following 1) set the access vlan to X, then se the fail VLAN to Y and the guest VLAN to Y or (my preferred way) 2) set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y where X is the access vlan for auth and Y is the chosen fail vlan why do method 2? well, its then easy/quick to change the VLAN returned to the switch no matter where on campus/site/infrastructure - its all done via decisions made on the radius server. the return attributeS? 'Tunnel-Medium-Type'} = IEEE-802 'Tunnel-Type' = VLAN 'Tunnel-Private-Group-Id' = 666 'Session-Timeout' = 28800 'Termination-Action' = RADIUS-Request that would set the VLAN to be 666 with an 8 hour timeout. these can be set via users file, SQL, perl, python etc. we use a PERL script in the post-auth section alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
On 03/03/2010 03:01 PM, omega bk wrote: 2) set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y = that's really what i want to do so in my users file myuser Cleartext-Password := user Tunnel-type = VLAN, Tunnel-Medium-Type = 802, Tunnel-Private-Group-ID = 666 Session-Timeout = 28800 Termination-Action = RADIUS-Request but how to set the fail VLAN and guest VLAN to Y ??? Setting the Fail and Guest VLAN by radius doesn't make any sense. The Fail vlan is what to use when the radius server is unavailable. The Guest vlan is what to do when the client doesn't do 802.1x i.e. no radius. So you can't set these over radius. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
On Wed, Mar 3, 2010 at 10:44 AM, Phil Mayers p.may...@imperial.ac.uk wrote: but how to set the fail VLAN and guest VLAN to Y ??? Setting the Fail and Guest VLAN by radius doesn't make any sense. The Fail vlan is what to use when the radius server is unavailable. The Guest vlan is what to do when the client doesn't do 802.1x i.e. no radius. So you can't set these over radius. Look in the Cisco documentation for information on: dot1x auth-fail vlan vlan-id and dot1x guest-vlan vlan-id -M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: vlan and freeradius
Jens Link wrote: @Alan: I would document VMPS in some more detail in the wiki if my access would be working. ;-) It seems to be fine now. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
