assign wireless users to VLANs on CISCO AP1230

Fri, 17 Oct 2003 08:48:23 -0700 

Hi everybody,


I'm trying to assign wireless users to VLANs. Here is the configuration :
- freeradius 0.9.1 on Red Hat 7.2
- Cisco AP1230 (IOS 12.2(11)JA1) with 2 vlans (10=SSID10 and 30=SSID30)
- PCMCIA Card Aironet 350

With static mapping (SSID-VLAN) on the AP, authentication works fine. The
problem starts when I try to assign VLAN.

CISCO says :
"
These are the RADIUS user attributes used for vlan-id assignment. Each
attribute must have a common Tag value to identify the grouped relationship.

IETF 64 (Tunnel Type): Set this attribute to VLAN
IETF 65 (Tunnel Medium Type): Set this attribute to 802
IETF 81 (Tunnel Private Group ID): Set this attribute to vlan-id
"

1 - to meet CISCO requirements, I modified the dictionnary.tunnel file like
this :
"
# VALUE         Tunnel-Medium-Type      IEEE-802        6
VALUE           Tunnel-Medium-Type      802             6

# ATTRIBUTE     Tunnel-Private-Group-Id         81      string  has_tag
ATTRIBUTE       Tunnel-Private-Group-Id         81      integer has_tag
"

2 - My user is :
"
jmguillemot     Auth-Type := eap, User-Password == "XXXXX"
                Service-Type = Login-User,
                Tunnel-Type = 13,
                Tunnel-Medium-Type = 6,
                Tunnel-Private-Group-Id = 10
"
Which corresponds to CISCO requirements

3 - When I ty to get access to VLAN 30, my Access-Accept answer is the
following :
"
modcall: group authenticate returns ok
Sending Access-Accept of id 44 to 192.168.XX;XX:1645
Service-Type = Login-User
        Tunnel-Type:0 = VLAN
      Tunnel-Medium-Type:0 = 802
      Tunnel-Private-Group-Id:0 = 10
      Cisco-AVPair +=
"leap:session-key=\305\225\334\314\007\242>1\301\335<\362V\240"R\tUu\033\210
\317\306i\265`\335x\020l\006\313+R"
        EAP-Message =
0x0205002b11010018e7b2116d7e8a7a6b15f4a394f1c5aac8b4000a83897eede76a6d677569
6c6c656d6f74
      Message-Authenticator = 0x00000000000000000000000000000000
Finished request 26
Going to the next request
Waking up in 6 seconds...
"

but I'm authenticated in VLAN 30.

I also tried to assign the NAME of the VLAN (with modification in
dictionary.tunnel) but no success.

Is it a mis-configuration ? a freeradius problem ? a cisco problem ?...

Any suggestion would be really appreciated. thanks in advance

Jean-Marie


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to