Hi,
Here is what I am tring to do: a Windows XP client is authenticating via
802.1x to a cisco switch. The switch "talks" to a freeradius 0.5 server
running on Redhat 7.2. That works fine, the user can login and the port
opens up. Cisco developed a feature in a recent software release whereby
the radius server can also tell the switch what VLAN to place the
freshly-authenticated port in (that's the part I can't get to work - the
fact that I am totally new to Radius probably doesn't help either). I
know from reading our code that the switch expects the following
parameters within the Access-accept:
a) Tunnel-Type(#64)=VLAN (13)
b) Tunnel-Medium-Type(#65)=802 (6)
c) Tunnel-Private-Group-ID(#81)=VLANID
I am hitting a couple of problems. In the dictionary.tunnel file that
came with freeradius release 0.5, there is no Tunnel-Type VLAN and there
is no Tunnel-Medium-Type 802. So I thought I'd go ahead and edit my
dictionary.tunnel file to add these entries:
VALUE Tunnel-Type VLAN 13
#
VALUE Tunnel-Medium-Type 802 6
The next problem is that the switch expects a string in
Tunnel-Private-Group-ID to identify the VLAN (i.e. VLAN0055). However,
this is what I found in the original dictionary.tunnel file:
ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag
It seems Tunnel-Private-Group-Id is declared as an integer. However,
RFC2868 seems to indicate the format should be a string (unless I am
misinterpreting the RFC, which is quite possible):
- begin quote -
A summary of the Tunnel-Private-Group-ID Attribute format is shown
below. The fields are transmitted from left to right.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Tag | String ...
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Type
81 for Tunnel-Private-Group-ID.
- end quote -
So I also modified the dictionary.tunnel file as follows:
ATTRIBUTE Tunnel-Private-Group-ID 81 string has_tag
Here is the user config:
pag Auth-Type := Accept,
Service-Type = Administrative-User,
Tunnel-Type = 13,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID = VLAN0055
and this is what I see when the user authenticates:
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Nothing to do. Sleeping until we see a request.
Thread 1 handling request 0, (1 handled so far)
User-Name = "pag"
NAS-IP-Address = 172.20.45.27
Framed-MTU = 1000
EAP-Message = "\002\001\000\010\001pag"
Message-Authenticator = 0x71ff2b2e212b67ed13f18c1dacd44541
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched pag at 81
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Sending Access-Accept of id 233 to 172.20.45.27:2346
Service-Type = Administrative-User
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = 802
Tunnel-Private-Group-ID:0 = "VLAN0055"
Finished request 0
However, the switch doesn't seem to understand the tunnel parameters it
is receiving. It could very well be a problem with our code, but I just
want to ask a few questions to this list first:
1- Are the modifications I made to the dictionary.tunnel file ok? (i.e.
will radiusd pretty much accept any new parameter I insert in there?)
2- How come Tunnel-Private-Group-ID is specified as an integer in the
original dictionary.tunnel file? Should it be that way?
3- Why does the Tunnel-Type in the access-accept packet finish with a
":0"?
4- In the server-side debug, I see that Tunnel-Private-Group-ID:0 =
"VLAN0055". Are the quotes relayed to the switch or are they just
printed in the debug message to indicate a string is being passed?
Thanks,
Chris.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
