Hi, Im testing the Freeradius servers dotx support for EAP-TLS. So far I have got the
PC authenticated
using certificates but I cant get the switch to set the VLAN I want on the port.
I have tried every tips found on the Cisco web and from this list and Im now stuck.
And yes the VLAN
TESTVLAN is defined in the VLAN database. I have also trid the VLAN id 555 and the
long version 100555.
I have tried renameing the VLAN and using the attribute cisco-avpair to send the VLAN
info.
users setup:
DEFAULT Auth-Type := EAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = TESTVLAN
or
DEFAULT Auth-Type := EAP
cisco-avpair += "tunnel-type(#64)=VLAN(13)",
cisco-avpair += "tunnel-medium-type(#65)=802 media(6)",
cisco-avpair += "tunnel-private-group-ID(#81)=TESTVLAN"
none of them worked.
I cut out some parts of the logs that show the problem:
FreeRadius sever debug log:
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 9
modcall: group authenticate returns ok for request 9
Login OK: [host/Client certificate/<no User-Password attribute>] (from client
rklan-client port 50023 cli 00-08-02-D7-6B-24)
Sending Access-Accept of id 121 to 10.25.250.250:1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "TESTVLAN"
MS-MPPE-Recv-Key =
0x8fcfa4475a4fd660644c278b0f121c5c36eba960ef13ef331fe8917485ab8990
MS-MPPE-Send-Key =
0xb2dc132a07afb4e469a48d3bd947fcc1dabaf7f80242e37e9eb7dd65a009e4ef
EAP-Message = 0x03640004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "host/Client certificate"
Finished request 9
Cisco 3550 radius debug log:
01:45:10: RADIUS: Received from id 121 10.25.32.63:1812, Access-Accept, len 207
01:45:10: Attribute 64 6 0000000D
01:45:10: Attribute 65 6 00000006
01:45:10: Attribute 81 10 54455354
01:45:10: Attribute 26 58 00000137113494E2
01:45:10: Attribute 26 58 0000013710349898
01:45:10: Attribute 79 6 03640004
01:45:10: Attribute 80 18 20106B4C
01:45:10: Attribute 1 25 686F7374
01:45:10: RADIUS: EAP-login: length of eap packet = 4
01:45:10: RADIUS: EAP-login: radius didn't send any vlan
tcpdump on the freeradius server:
11:18:49.257403 10.25.32.63.radius > 10.25.250.250.radius: rad-access-accept 207 [id
121] Attr[ Tunnel_type{Tag[Unused]{#13} Tunnel_medium{Tag[Unused]{802}
Tunnel_priv_group{TESTVLAN} [|radius] (DF)
4500 00eb 0000 4000 4011 0a97 0a19 203f
0a19 fafa 0714 0714 00d7 2b25 0279 00cf
5297 77d0 4247 9a82 f5f0 b245 39cd 9e9a
4006 0000 000d 4106 0000 0006 510a 5445
5354 564c 414e 1a3a 0000 0137 1134 94e2
a9c9
Versions of the freeradius server and Cisco IOS:
[EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -v
radiusd: FreeRADIUS Version 1.0.0-pre3, for host , built on Jun 21 2004 at 11:07:50
Copyright (C) 2000-2003 The FreeRADIUS server project.
Cisco Internetwork Operating System Software
IOS (tm) C3550 Software (C3550-I9K2L2Q3-M), Version 12.1(20)EA2, RELEASE SOFTWARE (fc1)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
