I tried to configure my users file like this :
-----
test NasPort-Type == Ethernet
Service-Type = Framed-User,
Tunnel-Type +=13,
Tunnel-Medium-Type =6,
Tunnel-Private-Group-ID =2
-----------------
It fails again .....
This is my log :
Did anyone succeded in implementing dynamic vlan with freeradius and a cisco
NAS ?
Trying to look up name of unknown client 127.0.0.1.
Login OK: [CSB\\test/<no User-Password attribute>] (from client
UNKNOWN-CLIENT port 0)
Sending Access-Challenge of id 4 to 192.168.16.1:1645
EAP-Message =
0x011000261900170301001bd4e8059152ae62965c42a62ed4c9b3eba7e2799c38360c36f9aa3b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x87e7da01825313ef863cbec3870f5f13
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=5,
length=174
NAS-IP-Address = 192.168.16.1
NAS-Port = 50147
NAS-Port-Type = Ethernet
User-Name = "CSB\\test"
Called-Station-Id = "00-17-5A-1B-28-B3"
Calling-Station-Id = "00-04-75-85-8F-61"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x87e7da01825313ef863cbec3870f5f13
EAP-Message =
0x021000261900170301001b7096000eb8d9889a7e0e9cef0e9d571e10320adf07ee2420aa4c89
Message-Authenticator = 0xf8383223d8b51167662f1641a6b2508c
Login OK: [CSB\\test/<no User-Password attribute>] (from client
192.168.16.1port 50147 cli 00-04-75-85-8F-61)
Sending Access-Accept of id 5 to 192.168.16.1:1645
MS-MPPE-Recv-Key =
0x3940d6891cb90e7db626720c8d65e4d838b8ab0047da30993ea2dc35508e985e
MS-MPPE-Send-Key =
0xb1d3912b4dba0f726cce333da644b1fc59da0d3bd0624f11db1449d8829fe081
EAP-Message = 0x03100004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "CSB\\test"
2007/3/12, Edvin Seferovic <[EMAIL PROTECTED]>:
Hi,
please respond to freeradius mailing list....
I am not sure if you can use EAP to make a comparation.. but anyway you
will
need two = ( == ) instead of one = ( = )...
Try setting
test NAS-Port-Type == Ethernet
Tunnel-Type += 13,
.........
Regards,
E:S
________________________________________
----------------------------------------
Hi,
I tried this but i never see anything about vlan in my freeradius log !!
My
user stay in default VLAN !!!
Is my user's definition in the users file correct ?
---------
test Auth-Type = EAP
Tunnel-Type += 13,
Tunnel-Medium-Type += 6,
Tunnel-Private-Group-Id += 2,
Fall-Through += No
-------
Thanks....
Sending Access-Challenge of id 148 to 192.168.16.1:1645
EAP-Message =
0x019500201900170301001594b0749a153a5db24986ad5b383747d599cefa165e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfaadc1f3fdcd54caba3eb520194cbda4
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=149,
length=172
NAS-IP-Address = 192.168.16.1
NAS-Port = 50147
User-Name = "CSB\\test"
Called-Station-Id = "00-17-5A-1B-28-B3"
Calling-Station-Id = "00-04-75-85-8F-61"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xfaadc1f3fdcd54caba3eb520194cbda4
EAP-Message =
0x0295002419001703010019d71271328e83be4bb86e90cb9cf78a13f6e92985f71a24f71b
Message-Authenticator = 0x6534f60da4b6f525ae500bcdc1f1b683
rlm_eap_mschapv2: Issuing Challenge
Sending Access-Challenge of id 149 to 192.168.16.1:1645
EAP-Message =
0x019600391900170301002e35934ed543adc3872069178f99dad4cef4ddb3891fae093be210
029063523c48015aeb6aa2e3d4eb17fd39890382
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11
rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=150,
length=226
NAS-IP-Address = 192.168.16.1
NAS-Port = 50147
NAS-Port-Type = Ethernet
User-Name = "CSB\\test"
Called-Station-Id = "00-17-5A-1B-28-B3"
Calling-Station-Id = "00-04-75-85-8F-61"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1b1b2139747f2fd4a4bbb4f9f279eb11
EAP-Message =
0x0296005a1900170301004f8e53cc58384cebdce1096ef486e518b9efd644cb4029eb633ef3
f06b1682f03fed4152d8f5eac2bd535a02befb274d4a591c3e60910efcec65ba22d6d5c33c8a
50797ccfca8f0c7c57bc2287068b2d
Message-Authenticator = 0x416672a07b4421f704970f07db03e442
radius_xlat: Running registered xlat function of module mschap for string
'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=3e2e4fe28bd9b464
--nt-response=927de3350c738b570a464aeac694ca367884505006ceb2af
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
Sending Access-Challenge of id 150 to 192.168.16.1:1645
EAP-Message =
0x0197004a1900170301003fc00a2f7339369e45babdf23184b0f04fb295d015a9bd4316050d
a913d6538bf4329c8c46835179297980a5b669ce00e7b984fa8368858b6db4cea48759d7c1
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7ef7f6d05a6f3d00427213ecb574faa2
rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=151,
length=165
NAS-IP-Address = 192.168.16.1
NAS-Port = 50147
NAS-Port-Type = Ethernet
User-Name = "CSB\\test"
Called-Station-Id = "00-17-5A-1B-28-B3"
Calling-Station-Id = "00-04-75-85-8F-61"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x7ef7f6d05a6f3d00427213ecb574faa2
EAP-Message =
0x0297001d190017030100128fca90d7480fc827988c01b59ca594725eda
Message-Authenticator = 0xf453065f5ccd452281e10cf4fcce3d8a
Trying to look up name of unknown client 127.0.0.1.
Login OK: [CSB\\test/<no User-Password attribute>] (from client
UNKNOWN-CLIENT port 0)
Sending Access-Challenge of id 151 to 192.168.16.1:1645
EAP-Message =
0x019800261900170301001b424c8e15103d6091ff787a4a81a9d7f36e071506fee1dd9365f8
27
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x00edbd8474f305a438e2129b69d8d833
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=152,
length=174
NAS-IP-Address = 192.168.16.1
NAS-Port = 50147
NAS-Port-Type = Ethernet
User-Name = "CSB\\test"
Called-Station-Id = "00-17-5A-1B-28-B3"
Calling-Station-Id = "00-04-75-85-8F-61"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x00edbd8474f305a438e2129b69d8d833
EAP-Message =
0x029800261900170301001bae5f10c31db3214c9b97a5a5f8a4c027e3e599ea4820750c4376
4c
Message-Authenticator = 0x3b5bfbac96e06c7751c2c9405fd8bd0e
Login OK: [CSB\\test/<no User-Password attribute>] (from client
192.168.16.1
port 50147 cli 00-04-75-85-8F-61)
Sending Access-Accept of id 152 to 192.168.16.1:1645
MS-MPPE-Recv-Key =
0xa159f53b8ccddbfe198e451f9e34f4572525e4257bf0a2ef0d62f9b829de2405
MS-MPPE-Send-Key =
0x57d9ef257640d9cf18b06cf26ddca8083e2484464499e2b9b74c8ac5ccd6a213
EAP-Message = 0x03980004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "CSB\\test"
2007/3/9, Bruno Mardirossian <[EMAIL PROTECTED]>:
Thanks i will try this on Monday....
The rest of my configuration for the user "test" in the users file seem to
be correct ?
2007/3/9, Edvin Seferovic < [EMAIL PROTECTED]>:
http://wiki.freeradius.org/Operators
Hint += <<<< for Tunnel-Type !
Regards,
E:S
________________________________________
From: freeradius-users-bounces+edvin.seferovic=
[EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED] ] On
Behalf Of Bruno Mardirossian
Sent: Freitag, 09. März 2007 03:49
To: freeradius-users@lists.freeradius.org
Subject: Freeradius and vlan assignment
Hello!
I am working on implementing freeradius with a cisco 3750 switch
connected to freeradius , which then talks to AD.(The linux box is on the
AD domain)
Anyway, wetry to make vlan assignment by using the 'users' file .
We create a user named 'test' on my AD server , and we created this
section
in the file users :
test Auth-Type := MS-CHAP
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 2
The user is correctly authenticated by AD, buthe is put in the default
vlan ( id 1 ) and not in the vlan defined in the file 'users' ( id 2 ) .
By the way, readind the radiusd output , i think that freeradius does not
read my users file...i didn't see int he log anything about the
Tunnel-Type
or Tunnel-Private-Group-Id informations....
Anyone have any thoughts?
Regards
Bruno
Message-Authenticator = 0xa309657e84ce8131d67aa64d9a491059
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
users: Matched entry DEFAULT at line 165
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 6
rlm_eap: EAP packet type response id 6 length 90
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "mschap" returns noop for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type MS-CHAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to CSB\test
PEAP: Adding old state with 86 79
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "chap" returns noop for request 6
rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
users: Matched entry DEFAULT at line 165
modcall[authorize]: module "files" returns ok for request 6
rlm_eap: EAP packet type response id 6 length 67
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "mschap" returns noop for request 6
modcall: group authorize returns updated for request 6
rad_check_password: Found Auth-Type MS-CHAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for test with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'NT-Domain'
radius_xlat: Running registered xlat function of module mschap for string
'User-Name'
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: 9a
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=0529c10bac22a3fa
--nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain=CSB
--username=test --challenge=0529c10bac22a3fa
--nt-response=4b1e21679b85263858da26874073491971a58f8bfc024456
Exec-Program output: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program-Wait: plaintext: NT_KEY: 2066656E05C22F3A995AD9ECFED913D6
Exec-Program: returned: 0
rlm_mschap: adding MS-CHAPv2 MPPE keys
modcall[authenticate]: module "mschap" returns ok for request 6
modcall: group Auth-Type returns ok for request 6
MSCHAP Success
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
PEAP: Got tunneled Access-Challenge
modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 138 to 192.168.16.1:1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x0107004a1900170301003f58b6111cc333922058a5d79f63641e19ae7154e3504573da9834
6c88f080fe8ee04ad4b50f3cdc52fd02e8909b9f8f9a439730b7cee4654c18135432e651e7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1f45be689bd5bd8a6d8ace2af886bb6c
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.16.1:1645, id=139,
length=165
NAS-IP-Address = 192.168.16.1
NAS-Port = 50147
NAS-Port-Type = Ethernet
User-Name = "CSB\\test"
Called-Station-Id = "00-17-5A-1B-28-B3"
Calling-Station-Id = "00-04-75-85-8F-61"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x1f45be689bd5bd8a6d8ace2af886bb6c
EAP-Message =
0x0207001d19001703010012b8f868205426ef722e2433e5defa62455113
Message-Authenticator = 0x2e5a0be42b038b2404f5c93ea27d5387
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
users: Matched entry DEFAULT at line 165
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 7
rlm_eap: EAP packet type response id 7 length 29
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall[authorize]: module "mschap" returns noop for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type MS-CHAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to CSB\test
PEAP: Adding old state with a8 0f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "chap" returns noop for request 7
rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 7
users: Matched entry DEFAULT at line 165
modcall[authorize]: module "files" returns ok for request 7
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
modcall[authorize]: module "mschap" returns noop for request 7
modcall: group authorize returns updated for request 7
rad_check_password: Found Auth-Type MS-CHAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 7
modcall: group authenticate returns ok for request 7
Trying to look up name of unknown client 127.0.0.1.
Login OK: [CSB\\test/<no User-Password attribute>] (from client
UNKNOWN-CLIENT port 0)
PEAP: Tunneled authentication was successful.
rlm_eap_peap: SUCCESS
modcall[authenticate]: module "eap" returns handled for request 7
modcall: group authenticate returns handled for request 7
Sending Access-Challenge of id 139 to 192.168.16.1:1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x010800261900170301001b8d03a63c700234ed33060b7b6b9274d27b9e872a002e885ab9eb
f3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5a28f8fd3d7fde4a88411d022625e022
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.16.1:1645 , id=140,
length=174
NAS-IP-Address = 192.168.16.1
NAS-Port = 50147
NAS-Port-Type = Ethernet
User-Name = "CSB\\test"
Called-Station-Id = "00-17-5A-1B-28-B3"
Calling-Station-Id = "00-04-75-85-8F-61"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x5a28f8fd3d7fde4a88411d022625e022
EAP-Message =
0x020800261900170301001b44c1c9880e33cd6e472ba624ff53ee4f53e1588d0da394c02c05
22
Message-Authenticator = 0x50fd41edb7beeee318cfd915201602f4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "chap" returns noop for request 8
rlm_realm: No '@' in User-Name = "CSB\test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 8
users: Matched entry DEFAULT at line 165
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 8
rlm_eap: EAP packet type response id 8 length 38
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
modcall[authorize]: module "mschap" returns noop for request 8
modcall: group authorize returns updated for request 8
rad_check_password: Found Auth-Type MS-CHAP
rad_check_password: Found Auth-Type EAP
Warning: Found 2 auth-types on request for user 'CSB\test'
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Tunneled data is valid.
rlm_eap_peap: Success
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 8
modcall: group authenticate returns ok for request 8
Login OK: [CSB\\test/<no User-Password attribute>] (from client reseau16
port 50147 cli 00-04-75-85-8F-61)
Sending Access-Accept of id 140 to 192.168.16.1:1645
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
MS-MPPE-Recv-Key =
0xf1a6b62d3814b8fc8f3ac5601a89ddacc1c47c4387e21b35fe33bdbffaf15486
MS-MPPE-Send-Key =
0x1ba3df6508e8c7f03112980ae8e1255bfec5c05ab397c927a9b56be7335714fd
EAP-Message = 0x03080004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "CSB\\test"
Finished request 8
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 132 with timestamp 45f0c882
Cleaning up request 1 ID 133 with timestamp 45f0c882
Cleaning up request 2 ID 134 with timestamp 45f0c882
Cleaning up request 3 ID 135 with timestamp 45f0c882
Cleaning up request 4 ID 136 with timestamp 45f0c882
Cleaning up request 5 ID 137 with timestamp 45f0c882
Cleaning up request 6 ID 138 with timestamp 45f0c882
Cleaning up request 7 ID 139 with timestamp 45f0c882
Cleaning up request 8 ID 140 with timestamp 45f0c882
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
