I tried to configure my users file like this : ----- test NasPort-Type == Ethernet Service-Type = Framed-User, Tunnel-Type +=13, Tunnel-Medium-Type =6, Tunnel-Private-Group-ID =2 -----------------
It fails again ..... This is my log : Did anyone succeded in implementing dynamic vlan with freeradius and a cisco NAS ? Trying to look up name of unknown client 127.0.0.1. Login OK: [CSB\\test/<no User-Password attribute>] (from client UNKNOWN-CLIENT port 0) Sending Access-Challenge of id 4 to 192.168.16.1:1645 EAP-Message = 0x011000261900170301001bd4e8059152ae62965c42a62ed4c9b3eba7e2799c38360c36f9aa3b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x87e7da01825313ef863cbec3870f5f13 rad_recv: Access-Request packet from host 192.168.16.1:1645, id=5, length=174 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x87e7da01825313ef863cbec3870f5f13 EAP-Message = 0x021000261900170301001b7096000eb8d9889a7e0e9cef0e9d571e10320adf07ee2420aa4c89 Message-Authenticator = 0xf8383223d8b51167662f1641a6b2508c Login OK: [CSB\\test/<no User-Password attribute>] (from client 192.168.16.1port 50147 cli 00-04-75-85-8F-61) Sending Access-Accept of id 5 to 192.168.16.1:1645 MS-MPPE-Recv-Key = 0x3940d6891cb90e7db626720c8d65e4d838b8ab0047da30993ea2dc35508e985e MS-MPPE-Send-Key = 0xb1d3912b4dba0f726cce333da644b1fc59da0d3bd0624f11db1449d8829fe081 EAP-Message = 0x03100004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "CSB\\test" 2007/3/12, Edvin Seferovic <[EMAIL PROTECTED]>:
Hi, please respond to freeradius mailing list.... I am not sure if you can use EAP to make a comparation.. but anyway you will need two = ( == ) instead of one = ( = )... Try setting test NAS-Port-Type == Ethernet Tunnel-Type += 13, ......... Regards, E:S ________________________________________ ---------------------------------------- Hi, I tried this but i never see anything about vlan in my freeradius log !! My user stay in default VLAN !!! Is my user's definition in the users file correct ? --------- test Auth-Type = EAP Tunnel-Type += 13, Tunnel-Medium-Type += 6, Tunnel-Private-Group-Id += 2, Fall-Through += No ------- Thanks.... Sending Access-Challenge of id 148 to 192.168.16.1:1645 EAP-Message = 0x019500201900170301001594b0749a153a5db24986ad5b383747d599cefa165e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfaadc1f3fdcd54caba3eb520194cbda4 rad_recv: Access-Request packet from host 192.168.16.1:1645, id=149, length=172 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0xfaadc1f3fdcd54caba3eb520194cbda4 EAP-Message = 0x0295002419001703010019d71271328e83be4bb86e90cb9cf78a13f6e92985f71a24f71b Message-Authenticator = 0x6534f60da4b6f525ae500bcdc1f1b683 rlm_eap_mschapv2: Issuing Challenge Sending Access-Challenge of id 149 to 192.168.16.1:1645 EAP-Message = 0x019600391900170301002e35934ed543adc3872069178f99dad4cef4ddb3891fae093be210 029063523c48015aeb6aa2e3d4eb17fd39890382 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11 rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=150, length=226 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11 EAP-Message = 0x0296005a1900170301004f8e53cc58384cebdce1096ef486e518b9efd644cb4029eb633ef3 f06b1682f03fed4152d8f5eac2bd535a02befb274d4a591c3e60910efcec65ba22d6d5c33c8a 50797ccfca8f0c7c57bc2287068b2d Message-Authenticator = 0x416672a07b4421f704970f07db03e442 radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=3e2e4fe28bd9b464 --nt-response=927de3350c738b570a464aeac694ca367884505006ceb2af Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 Sending Access-Challenge of id 150 to 192.168.16.1:1645 EAP-Message = 0x0197004a1900170301003fc00a2f7339369e45babdf23184b0f04fb295d015a9bd4316050d a913d6538bf4329c8c46835179297980a5b669ce00e7b984fa8368858b6db4cea48759d7c1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7ef7f6d05a6f3d00427213ecb574faa2 rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=151, length=165 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x7ef7f6d05a6f3d00427213ecb574faa2 EAP-Message = 0x0297001d190017030100128fca90d7480fc827988c01b59ca594725eda Message-Authenticator = 0xf453065f5ccd452281e10cf4fcce3d8a Trying to look up name of unknown client 127.0.0.1. Login OK: [CSB\\test/<no User-Password attribute>] (from client UNKNOWN-CLIENT port 0) Sending Access-Challenge of id 151 to 192.168.16.1:1645 EAP-Message = 0x019800261900170301001b424c8e15103d6091ff787a4a81a9d7f36e071506fee1dd9365f8 27 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00edbd8474f305a438e2129b69d8d833 rad_recv: Access-Request packet from host 192.168.16.1:1645, id=152, length=174 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x00edbd8474f305a438e2129b69d8d833 EAP-Message = 0x029800261900170301001bae5f10c31db3214c9b97a5a5f8a4c027e3e599ea4820750c4376 4c Message-Authenticator = 0x3b5bfbac96e06c7751c2c9405fd8bd0e Login OK: [CSB\\test/<no User-Password attribute>] (from client 192.168.16.1 port 50147 cli 00-04-75-85-8F-61) Sending Access-Accept of id 152 to 192.168.16.1:1645 MS-MPPE-Recv-Key = 0xa159f53b8ccddbfe198e451f9e34f4572525e4257bf0a2ef0d62f9b829de2405 MS-MPPE-Send-Key = 0x57d9ef257640d9cf18b06cf26ddca8083e2484464499e2b9b74c8ac5ccd6a213 EAP-Message = 0x03980004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "CSB\\test" 2007/3/9, Bruno Mardirossian <[EMAIL PROTECTED]>: Thanks i will try this on Monday.... The rest of my configuration for the user "test" in the users file seem to be correct ? 2007/3/9, Edvin Seferovic < [EMAIL PROTECTED]>: http://wiki.freeradius.org/Operators Hint += <<<< for Tunnel-Type ! Regards, E:S ________________________________________ From: freeradius-users-bounces+edvin.seferovic= [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] ] On Behalf Of Bruno Mardirossian Sent: Freitag, 09. März 2007 03:49 To: freeradius-users@lists.freeradius.org Subject: Freeradius and vlan assignment Hello! I am working on implementing freeradius with a cisco 3750 switch connected to freeradius , which then talks to AD.(The linux box is on the AD domain) Anyway, wetry to make vlan assignment by using the 'users' file . We create a user named 'test' on my AD server , and we created this section in the file users : test Auth-Type := MS-CHAP Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-Id = 2 The user is correctly authenticated by AD, buthe is put in the default vlan ( id 1 ) and not in the vlan defined in the file 'users' ( id 2 ) . By the way, readind the radiusd output , i think that freeradius does not read my users file...i didn't see int he log anything about the Tunnel-Type or Tunnel-Private-Group-Id informations.... Anyone have any thoughts? Regards Bruno Message-Authenticator = 0xa309657e84ce8131d67aa64d9a491059 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 6 rlm_eap: EAP packet type response id 6 length 90 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "mschap" returns noop for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to CSB\test PEAP: Adding old state with 86 79 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 users: Matched entry DEFAULT at line 165 modcall[authorize]: module "files" returns ok for request 6 rlm_eap: EAP packet type response id 6 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "mschap" returns noop for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: 9a radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=0529c10bac22a3fa --nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456' Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB --username=test --challenge=0529c10bac22a3fa --nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456 Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6 Exec-Program: returned: 0 rlm_mschap: adding MS-CHAPv2 MPPE keys modcall[authenticate]: module "mschap" returns ok for request 6 modcall: group Auth-Type returns ok for request 6 MSCHAP Success modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 PEAP: Got tunneled Access-Challenge modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 138 to 192.168.16.1:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0107004a1900170301003f58b6111cc333922058a5d79f63641e19ae7154e3504573da9834 6c88f080fe8ee04ad4b50f3cdc52fd02e8909b9f8f9a439730b7cee4654c18135432e651e7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f45be689bd5bd8a6d8ace2af886bb6c Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.16.1:1645, id=139, length=165 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x1f45be689bd5bd8a6d8ace2af886bb6c EAP-Message = 0x0207001d19001703010012b8f868205426ef722e2433e5defa62455113 Message-Authenticator = 0x2e5a0be42b038b2404f5c93ea27d5387 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 7 rlm_eap: EAP packet type response id 7 length 29 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "mschap" returns noop for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to CSB\test PEAP: Adding old state with a8 0f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 users: Matched entry DEFAULT at line 165 modcall[authorize]: module "files" returns ok for request 7 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "mschap" returns noop for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 7 modcall: group authenticate returns ok for request 7 Trying to look up name of unknown client 127.0.0.1. Login OK: [CSB\\test/<no User-Password attribute>] (from client UNKNOWN-CLIENT port 0) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module "eap" returns handled for request 7 modcall: group authenticate returns handled for request 7 Sending Access-Challenge of id 139 to 192.168.16.1:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010800261900170301001b8d03a63c700234ed33060b7b6b9274d27b9e872a002e885ab9eb f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5a28f8fd3d7fde4a88411d022625e022 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=140, length=174 NAS-IP-Address = 192.168.16.1 NAS-Port = 50147 NAS-Port-Type = Ethernet User-Name = "CSB\\test" Called-Station-Id = "00-17-5A-1B-28-B3" Calling-Station-Id = "00-04-75-85-8F-61" Service-Type = Framed-User Framed-MTU = 1500 State = 0x5a28f8fd3d7fde4a88411d022625e022 EAP-Message = 0x020800261900170301001b44c1c9880e33cd6e472ba624ff53ee4f53e1588d0da394c02c05 22 Message-Authenticator = 0x50fd41edb7beeee318cfd915201602f4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 8 rlm_eap: EAP packet type response id 8 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "mschap" returns noop for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type MS-CHAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'CSB\test' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 8 modcall: group authenticate returns ok for request 8 Login OK: [CSB\\test/<no User-Password attribute>] (from client reseau16 port 50147 cli 00-04-75-85-8F-61) Sending Access-Accept of id 140 to 192.168.16.1:1645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User MS-MPPE-Recv-Key = 0xf1a6b62d3814b8fc8f3ac5601a89ddacc1c47c4387e21b35fe33bdbffaf15486 MS-MPPE-Send-Key = 0x1ba3df6508e8c7f03112980ae8e1255bfec5c05ab397c927a9b56be7335714fd EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "CSB\\test" Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 132 with timestamp 45f0c882 Cleaning up request 1 ID 133 with timestamp 45f0c882 Cleaning up request 2 ID 134 with timestamp 45f0c882 Cleaning up request 3 ID 135 with timestamp 45f0c882 Cleaning up request 4 ID 136 with timestamp 45f0c882 Cleaning up request 5 ID 137 with timestamp 45f0c882 Cleaning up request 6 ID 138 with timestamp 45f0c882 Cleaning up request 7 ID 139 with timestamp 45f0c882 Cleaning up request 8 ID 140 with timestamp 45f0c882 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html