Thanks it made the difference... reading throug the Cisco guide again I see the command listed as optional and not in the command example so I simply missed it.... :(
________________________________
Fr�n: [EMAIL PROTECTED] genom Fr�d�ric EVRARD
Skickat: ti 2004-06-22 10:41
Till: [EMAIL PROTECTED]
�mne: Re: Problem getting a Cisco 3550 to change VLAN on dot1x authenticate
Hi,
don't forget on 3550 switch:
aaa authorization network default group radius
(to let radius change network conf)
Attributes are good.
Fred.EVRARD
> Hi, Im testing the Freeradius servers dotx support for EAP-TLS. So far I
> have got the PC authenticated
> using certificates but I cant get the switch to set the VLAN I want on the
> port.
>
> I have tried every tips found on the Cisco web and from this list and Im
> now stuck. And yes the VLAN
> TESTVLAN is defined in the VLAN database. I have also trid the VLAN id 555
> and the long version 100555.
> I have tried renameing the VLAN and using the attribute cisco-avpair to
> send the VLAN info.
>
> users setup:
>
> DEFAULT Auth-Type := EAP
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = TESTVLAN
>
> or
>
> DEFAULT Auth-Type := EAP
> cisco-avpair += "tunnel-type(#64)=VLAN(13)",
> cisco-avpair += "tunnel-medium-type(#65)=802 media(6)",
> cisco-avpair += "tunnel-private-group-ID(#81)=TESTVLAN"
>
> none of them worked.
>
> I cut out some parts of the logs that show the problem:
>
> FreeRadius sever debug log:
>
> modcall: entering group authenticate for request 9
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake is finished
> eaptls_verify returned 3
> eaptls_process returned 3
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns ok for request 9
> modcall: group authenticate returns ok for request 9
> Login OK: [host/Client certificate/<no User-Password attribute>] (from
> client rklan-client port 50023 cli 00-08-02-D7-6B-24)
> Sending Access-Accept of id 121 to 10.25.250.250:1812
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "TESTVLAN"
> MS-MPPE-Recv-Key =
> 0x8fcfa4475a4fd660644c278b0f121c5c36eba960ef13ef331fe8917485ab8990
> MS-MPPE-Send-Key =
> 0xb2dc132a07afb4e469a48d3bd947fcc1dabaf7f80242e37e9eb7dd65a009e4ef
> EAP-Message = 0x03640004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "host/Client certificate"
> Finished request 9
>
>
> Cisco 3550 radius debug log:
>
> 01:45:10: RADIUS: Received from id 121 10.25.32.63:1812, Access-Accept,
> len 207
> 01:45:10: Attribute 64 6 0000000D
> 01:45:10: Attribute 65 6 00000006
> 01:45:10: Attribute 81 10 54455354
> 01:45:10: Attribute 26 58 00000137113494E2
> 01:45:10: Attribute 26 58 0000013710349898
> 01:45:10: Attribute 79 6 03640004
> 01:45:10: Attribute 80 18 20106B4C
> 01:45:10: Attribute 1 25 686F7374
> 01:45:10: RADIUS: EAP-login: length of eap packet = 4
> 01:45:10: RADIUS: EAP-login: radius didn't send any vlan
>
>
> tcpdump on the freeradius server:
>
> 11:18:49.257403 10.25.32.63.radius > 10.25.250.250.radius:
> rad-access-accept 207 [id 121] Attr[ Tunnel_type{Tag[Unused]{#13}
> Tunnel_medium{Tag[Unused]{802} Tunnel_priv_group{TESTVLAN} [|radius] (DF)
> 4500 00eb 0000 4000 4011 0a97 0a19 203f
> 0a19 fafa 0714 0714 00d7 2b25 0279 00cf
> 5297 77d0 4247 9a82 f5f0 b245 39cd 9e9a
> 4006 0000 000d 4106 0000 0006 510a 5445
> 5354 564c 414e 1a3a 0000 0137 1134 94e2
> a9c9
>
>
>
> Versions of the freeradius server and Cisco IOS:
>
> [EMAIL PROTECTED] raddb]# /usr/local/sbin/radiusd -v
> radiusd: FreeRADIUS Version 1.0.0-pre3, for host , built on Jun 21 2004 at
> 11:07:50
> Copyright (C) 2000-2003 The FreeRADIUS server project.
>
> Cisco Internetwork Operating System Software
> IOS (tm) C3550 Software (C3550-I9K2L2Q3-M), Version 12.1(20)EA2, RELEASE
> SOFTWARE (fc1)
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<<winmail.dat>>
