On Wed, 11 Aug 2010 00:46:56 -0500, James J J Hooper
<[email protected]> wrote:
--On 10 August 2010 17:24 -0500 Thomas Donnelly <[email protected]>
wrote:
Hello All,
There are quite a few components coming into play here so I'm not
exactly
sure whats breaking where.
Let me start with explaining our setup:
We use cisco 1142 agn lightweight access points connected to a 4402
Wireless Lan Controller
This controller is doing radius authentication off of Freeradius 1.1.8
(with FreeBSD as the Host OS) on our primary ssid.
When people authenticate it replies with Tunnel-Private-Group-ID based
on
their username/group.
This puts them in the correct vlan for their department.
This works perfectly fine with our Apple Laptops, iPhones, and iPads.
However when I join with my Android phone or my n900 (maemo), I get put
in the default vlan for the SSID. After some digging I found the
following:
When joining from the Apple devices, the User-Name comes accross as
Tue Aug 10 17:13:03 2010
User-Name = "[email protected]"
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010
User-Name = "1fT6ESzC4Dbj9oIpiJjjfg=="
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because I get an IP address (in
the incorrect vlan) and can surf the net, and if I mistype the password
I
get an authentication failure.
However when it tries to do a match for the username to determine their
group/vlan it fails because we don't have any users with that user name.
Has anyone seen this before or have any leads I should follow?
Hi Tom,
Several small devices (phones etc) send a string such as above as the
*outer* user-name - if you don't like this you need to re-config the
device where possible [1].
More importantly, it seems you might be deciding VLAN based on the outer
user-name in the request - this is bad (arbitrarily spoofable). You
should use the EAP inner user-name.
* Upgrading to 2.1.x will make the inner/outer sessions much easier to
configure and verify.
* Running radiusd -X [& post here] will confirm if this is the problem.
[1] Maemo: After configuring, you need to click the Advanced-settings
button, change to the EAP page, select 'Use manual user name' and enter
whatever you want in the box.
(
<http://www.wireless.bris.ac.uk/getconnected/services/eduroam/go-anything/#anomalies>
)
Regards,
James
--
James J J Hooper
Network Specialist
Information Services
University of Bristol
http://www.wireless.bristol.ac.uk http://www.jamesjj.net
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Just to finish my follow up.
Using the link provided by James my n900 now works perfectly.
Using Android 2.2 I had to put the username in both the identity and the
anonymous identity and it worked correctly.
I am still figuring out how to make it auth based on the internal username
rather than the external.
Thanks again for everyone who replied it was very helpful.
-=tom
--
Using Opera's revolutionary email client: http://www.opera.com/mail/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
