hi,
ok, now the authentication request works (the problem was that if I
restart the AP I lost this configuration. How can I save it using the
web configuration?)
Now the log is the following:
rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19,
length=166
User-Name = "TEST4"
Framed-MTU = 1400
Called-Station-Id = "0012.dacb.8420"
Calling-Station-Id = "000c.f135.f1ba"
Cisco-AVPair = "ssid=VLAN3"
Service-Type = Login-User
Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46
EAP-Message = 0x020600060d00
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "260"
NAS-Port = 260
State = 0x0491685cf8ece3184d685dedfedbb3d4
NAS-IP-Address = 192.168.9.104
NAS-Identifier = "ap"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 18
modcall[authorize]: module "preprocess" returns ok for request 18
modcall[authorize]: module "mschap" returns noop for request 18
rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 18
rlm_eap: EAP packet type response id 6 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 18
users: Matched entry TEST4 at line 11
modcall[authorize]: module "files" returns ok for request 18
modcall: leaving group authorize (returns updated) for request 18
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 18
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 18
modcall: leaving group authenticate (returns ok) for request 18
Login OK: [TEST4/<no User-Password attribute>] (from client ap-test port
260 cli 000c.f135.f1ba)
Sending Access-Accept of id 19 to 192.168.9.104 port 1645
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "2"
Tunnel-Type:0 = VLAN
MS-MPPE-Recv-Key =
0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da
MS-MPPE-Send-Key =
0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "TEST4"
Finished request 18
and I have this users:
TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 2,
Tunnel-Type = VLAN
user2 Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3"
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Type = VLAN
Now in the log there is Cisco-AVPair = "ssid=VLAN3" but user TEST4 is
authenticated on the incorrect SSID (VLAN3).
I suppose that the Cisco-AVPair check doesn't work in my configuration....
Are there other mistakes?
Thanks for your answers...
Bye Antonio
You misread my previous email .... you need:
radius-server vsa send authentication
^^^^^^^^^^
this makes the cisco include the ssid in the AUTHENTICATION request
which is what you need. Presently you only have:
radius-server vsa send accounting
so the SSID is only being sent in accounting packets.
(having both is fine)
Regards,
James
--
James J J Hooper,
Information Services
University of Bristol
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
