These are tagged attributes. You need to add a :1 to the end of the attribute names to force tag #1.
Eg Tunnel-Type:1 I think there is a special meaning for tag #0, not sure what it is though, look in the rfc. HTH Jm > -----Original Message----- > From: Christopher Paggen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, June 05, 2002 1:44 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RFC2868 Tunnel attributes? > > > Hi, > > Here is what I am tring to do: a Windows XP client is > authenticating via 802.1x to a cisco switch. The switch > "talks" to a freeradius 0.5 server running on Redhat 7.2. > That works fine, the user can login and the port opens up. > Cisco developed a feature in a recent software release > whereby the radius server can also tell the switch what VLAN > to place the freshly-authenticated port in (that's the part I > can't get to work - the fact that I am totally new to Radius > probably doesn't help either). I know from reading our code > that the switch expects the following parameters within the > Access-accept: > > a) Tunnel-Type(#64)=VLAN (13) > b) Tunnel-Medium-Type(#65)=802 (6) > c) Tunnel-Private-Group-ID(#81)=VLANID > > I am hitting a couple of problems. In the dictionary.tunnel > file that came with freeradius release 0.5, there is no > Tunnel-Type VLAN and there is no Tunnel-Medium-Type 802. So I > thought I'd go ahead and edit my dictionary.tunnel file to > add these entries: > > VALUE Tunnel-Type VLAN 13 > # > VALUE Tunnel-Medium-Type 802 6 > > The next problem is that the switch expects a string in > Tunnel-Private-Group-ID to identify the VLAN (i.e. VLAN0055). > However, this is what I found in the original dictionary.tunnel file: > > > ATTRIBUTE Tunnel-Private-Group-Id 81 integer has_tag > > It seems Tunnel-Private-Group-Id is declared as an integer. > However, RFC2868 seems to indicate the format should be a > string (unless I am misinterpreting the RFC, which is quite possible): > > - begin quote - > A summary of the Tunnel-Private-Group-ID Attribute format is shown > below. The fields are transmitted from left to right. > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Type | Length | Tag | String ... > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > Type > 81 for Tunnel-Private-Group-ID. > - end quote - > > So I also modified the dictionary.tunnel file as follows: > > > ATTRIBUTE Tunnel-Private-Group-ID 81 > string has_tag > > > Here is the user config: > > pag Auth-Type := Accept, > Service-Type = Administrative-User, > Tunnel-Type = 13, > Tunnel-Medium-Type = 802, > Tunnel-Private-Group-ID = VLAN0055 > > and this is what I see when the user authenticates: > > --- Walking the entire request list --- > Threads: total/active/spare threads = 5/1/4 > Nothing to do. Sleeping until we see a request. > Thread 1 handling request 0, (1 handled so far) > User-Name = "pag" > NAS-IP-Address = 172.20.45.27 > Framed-MTU = 1000 > EAP-Message = "\002\001\000\010\001pag" > Message-Authenticator = 0x71ff2b2e212b67ed13f18c1dacd44541 > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "suffix" returns ok > users: Matched pag at 81 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type Accept > rad_check_password: Auth-Type = Accept, accepting the user > Sending Access-Accept of id 233 to 172.20.45.27:2346 > Service-Type = Administrative-User > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = 802 > Tunnel-Private-Group-ID:0 = "VLAN0055" > Finished request 0 > > > However, the switch doesn't seem to understand the tunnel > parameters it is receiving. It could very well be a problem > with our code, but I just want to ask a few questions to this > list first: > > 1- Are the modifications I made to the dictionary.tunnel file > ok? (i.e. will radiusd pretty much accept any new parameter I > insert in there?) > 2- How come Tunnel-Private-Group-ID is specified as an > integer in the original dictionary.tunnel file? Should it be that way? > 3- Why does the Tunnel-Type in the access-accept packet > finish with a ":0"? > 4- In the server-side debug, I see that > Tunnel-Private-Group-ID:0 = "VLAN0055". Are the quotes > relayed to the switch or are they just printed in the debug > message to indicate a string is being passed? > > Thanks, > > Chris. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
