[EMAIL PROTECTED] wrote:
Dear all,
I try to put my Windows-XP-Clients in different VLANs on my Cisco Catalyst 3750
Switch, depending on their Account.
And i use two differnt authentication methods: MD5-Challange and MS-CHAP.
User hugo should be mapped in VLAN 50 and authenticated via MD5-Challange
User roka at Domain WINLAB should be mapped in VLAN 40 and authenticated via
MS-CHAP
Now both authentication works (thanks to all again) but i have difficulties to
map user roka in his right VLAN.
Here is my users file:
-----------------------snip------------------------
hugo User-Password == "hugo01"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 50
roka Auth-Type := MS-CHAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-ID = 40
Do NOT set Auth-Type. If your server is properly configured, it is not
needed and can cause problems. In this case, it should not be causing
the problem.
Just to check - that's the ENTIRE users file, yes?
---------------------snap--------------------------
Here is the output of my radiusd with user hugo
The Cisco-Switch map user hugo in VLAN 50:
Login OK: [hugo/<no User-Password attribute>] (from client M4DEMRCO0000015 port
50103 cli 00-0B-5D-84-AE-CA)
Sending Access-Accept of id 210 to 10.187.0.15 port 1645
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "50"
EAP-Message = 0x03010004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "hugo"
Finished request 1
Going to the next request
Here is the output with user roka
The Cisco-Switch map user roka in VLAN 1, and NOT in VLAN 40, i miss the Tunnel
informations:
Login OK: [WINLAB\\roka/<no User-Password attribute>] (from client
M4DEMRCO0000015 port 50103 cli 00-0B-AA-84-AE-CA)
Sending Access-Accept of id 220 to 10.187.0.15 port 1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
MS-MPPE-Recv-Key =
0x70235fcdc1bc208578d0a26edb3c6d0b09f7cb712d4e9b66e7b2bea5b159c4f2
MS-MPPE-Send-Key =
0x6208fd4f8c1d2cd07a5e4597c98707dc70c94f29898eb0672e4572808efbd13d
EAP-Message = 0x03090004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "WINLAB\\roka"
Finished request 9
Going to the next request
This is not helpful. Send the full debugging output prior to this, so we
can see what modules matched. If you're going to trim, start from the
point the radius server is idling, not the very last packet.
In all probability, your problem is that you're using PEAP rather than
just MS-CHAP, and the tunnel attributes are being set on the inner
MS-CHAP reply, but not being copied to the outer EAP reply.
Make sure you have this in eap.conf:
eap {
# rest of config, then
peap {
# rest of config, then
use_tunneled_reply = yes
}
}
You may also need:
eap {
# rest of config, then
peap {
# rest of config, then
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
...if you want to match on other attributes in the request than username
at a later date.
So, any ideas what to do, that for user roka my radiusd also say to my Switch
the Tunnel things:
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "40"
That's expected and normal. See RFC 2868. The number is a tag, as you
can specify multiple tunnel-* attribute set. The tag groups them
together, and FreeRadius sets it to zero for the common case of one set.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
