Hi I think you have to use == instead of := For example: DEFAULT Cisco-AVPair == "ssid=testLEAP" , EAP-Type := Cisco-LEAP
Regards -- Sergio SAGLIOCCO SecureLAB - http://www.securelab.it CSP s.c. a r.l. - http://www.csp.it ______________________________________________ Villa Gualino Viale Settimo Severo, 63 - 10133 Torino [IT] tel. +39 011 481 5140 - Mobile +39 348 6024078 fax +39 011 481 5001 ______________________________________________ Antonio Matera wrote: > Hi all, > I have a problem with the user authentication with EAP TLS or PEAP > on different SSID and VLAN. > My objective is to authenticate one user only on a select SSID. > At the moment I have this user with EAP-TLS, but if I use PEAP and I > insert a user password, the problem is the same: > > TEST4 Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1" > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 2, > Tunnel-Type = VLAN > > user2 Auth-Type := EAP, Cisco-AVPair := "ssid=VLAN3" > Tunnel-Medium-Type = IEEE-802, > Tunnel-Private-Group-Id = 3, > Tunnel-Type = VLAN > > > and the log is the following: > > rad_recv: Access-Request packet from host 192.168.9.104:1645, id=19, > length=166 > User-Name = "TEST4" > Framed-MTU = 1400 > Called-Station-Id = "0012.dacb.8420" > Calling-Station-Id = "000c.f135.f1ba" > Cisco-AVPair = "ssid=VLAN3" > Service-Type = Login-User > Message-Authenticator = 0xb2a3f1fd52d9d6ff9702cc8f1f480f46 > EAP-Message = 0x020600060d00 > NAS-Port-Type = Wireless-802.11 > Cisco-NAS-Port = "260" > NAS-Port = 260 > State = 0x0491685cf8ece3184d685dedfedbb3d4 > NAS-IP-Address = 192.168.9.104 > NAS-Identifier = "ap" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 18 > modcall[authorize]: module "preprocess" returns ok for request 18 > modcall[authorize]: module "mschap" returns noop for request 18 > rlm_realm: No '@' in User-Name = "TEST4", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 18 > rlm_eap: EAP packet type response id 6 length 6 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 18 > users: Matched entry TEST4 at line 11 > modcall[authorize]: module "files" returns ok for request 18 > modcall: leaving group authorize (returns updated) for request 18 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 18 > rlm_eap: Request found, released from the list > rlm_eap: EAP/tls > rlm_eap: processing type tls > rlm_eap_tls: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: ack handshake is finished > eaptls_verify returned 3 > eaptls_process returned 3 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns ok for request 18 > modcall: leaving group authenticate (returns ok) for request 18 > Login OK: [TEST4/<no User-Password attribute>] (from client ap-test > port 260 cli 000c.f135.f1ba) > Sending Access-Accept of id 19 to 192.168.9.104 port 1645 > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "2" > Tunnel-Type:0 = VLAN > MS-MPPE-Recv-Key = > 0x9cb007ac1a5c0cc6da1deaf25177ef52e7f8c195d876f95b2d18ac6106b497da > MS-MPPE-Send-Key = > 0x5cbd4de84c364538ec07001adad683cbbf80a349d0299d4790f4f16389aff161 > EAP-Message = 0x03060004 > Message-Authenticator = 0x00000000000000000000000000000000 > User-Name = "TEST4" > Finished request 18 > > > > The user TEST4 is authenticated with the bad SSID. the check > Cisco-AVPair := "ssid=SSID1" does't work. > What is wrong? I read a lot of mail on this mailing list, I tried the > option with_cisco_hack = yes in the radiusd.conf file but but the > problem is always the same. > I don't understand what is the problem... > > Can someone help me? > > > Thanks a lot to all > > Bye Antonio > - List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
