We are modifying the Wireless acccess to our LAN. We are trying to use a Cisco WLC and our freeradius. We've been using this same freeradius for authenticating users against the corporate LDAP. Now we want WLC to talk to the radius server without losing any functionality like user authentication or vlan assignment.
Our main problem is that the vlan assingment is not working when we use the WLC. The scenario with the APs talking to the radius directly works fine, but when we use lightweight AP and the WLC we can see that the vlan assignment part is skipped by the authentication process and all the users are sent to the same vlan. The following is the output of the two cases. One of them is a user authenticating without WLC, the AP talks directly to the Radius Server, and the other is an authentication where WLC talks to the Radius Server (the one that is not working) - 10.32.2.81 is the WLC IP address. - 10.32.2.39 is the AP IP address. WLC Soft Version: 7.0.116.0 These are the outputs: 1) AP - RADIUS (No WLC) ***************************************************** rad_recv: Access-Request packet from host 10.32.2.39 port 1645, id=205, length=184 User-Name = "fcanales" Framed-MTU = 1400 Called-Station-Id = "001d.4551.7da0" Calling-Station-Id = "5894.6b0d.e86c" Service-Type = Login-User Message-Authenticator = 0x46192e9a5e4720bd6c721e03d8e6c3b4 EAP-Message = 0x0208002b19001703010020f7e5545e9d9e05ecff5f8be2d1bc992eeddba82eb4adef509bded9dd6c132712 NAS-Port-Type = Wireless-802.11 NAS-Port = 59460 State = 0xf4160a33f11e13898255a02243c509d6 NAS-IP-Address = 10.32.2.39 NAS-Identifier = "ap-Reco32" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "fcanales", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - fcanales [peap] Got tunneled request EAP-Message = 0x0208000d016663616e616c6573 server { PEAP: Got tunneled identity of fcanales PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to fcanales Sending tunneled request EAP-Message = 0x0208000d016663616e616c6573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "fcanales" Framed-MTU = 1400 Called-Station-Id = "001d.4551.7da0" Calling-Station-Id = "5894.6b0d.e86c" Service-Type = Login-User NAS-Port-Type = Wireless-802.11 NAS-Port = 59460 NAS-IP-Address = 10.32.2.39 NAS-Identifier = "ap-Reco32" server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++? if (!Huntgroup-Name) ? Evaluating !(Huntgroup-Name) -> FALSE ++? if (!Huntgroup-Name) -> FALSE ++? if (Huntgroup-Name == "list") ? Evaluating (Huntgroup-Name == "list") -> TRUE ++? if (Huntgroup-Name == "list") -> TRUE ++- entering if (Huntgroup-Name == "list") {...} +++? if (Ldap-Group == "WIFI-Direccion") rlm_ldap: Entering ldap_groupcmp() expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar expand: (uid=%u) -> (uid=fcanales) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales) rlm_ldap: ldap_release_conn: Release Id: 0 WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Direccion)(&(objectClass=posixGroup)(memberUid=fcanales))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group WIFI-Direccion not found or user is not a member. +++? if (Ldap-Group == "WIFI-MKTyCC") rlm_ldap: Entering ldap_groupcmp() expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Finanzas)(&(objectClass=posixGroup)(memberUid=fcanales))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group WIFI-Finanzas not found or user is not a member. +++? if (Ldap-Group == "WIFI-TyO") rlm_ldap: Entering ldap_groupcmp() expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-TyO)(&(objectClass=posixGroup)(memberUid=fcanales))) rlm_ldap::ldap_groupcmp: User found in group WIFI-TyO rlm_ldap: ldap_release_conn: Release Id: 0 ? Evaluating (Ldap-Group == "WIFI-TyO") -> TRUE +++? if (Ldap-Group == "WIFI-TyO") -> TRUE +++- entering if (Ldap-Group == "WIFI-TyO") {...} ++++[reply] returns ok +++- if (Ldap-Group == "WIFI-TyO") returns ok +++? if (Ldap-Group == "WIFI-ITfuncional") rlm_ldap: Entering ldap_groupcmp() expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar WARNING: Deprecated conditional expansion ":-". See "man unlang" for details expand: (&(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{User-Name}})) -> (&(objectClass=posixGroup)(memberUid=fcanales)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (&(cn=WIFI-Monit)(&(objectClass=posixGroup)(memberUid=fcanales))) rlm_ldap: object not found rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Group WIFI-Monit not found or user is not a member. ++- if (Huntgroup-Name == "list") returns ok ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "fcanales", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for fcanales [ldap] expand: (uid=%u) -> (uid=fcanales) [ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales) [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x3441313536383141373845384430414446424135364139373343343736374646 rlm_ldap: sambaLmPassword -> LM-Password == 0x4446323634314431373041414432333739433530313441453437313841374545 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user fcanales authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "212" EAP-Message = 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x158baf111582b5a1fb3a126781117cd4 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "212" EAP-Message = 0x010900221a0109001d108279970f23460b83f1fffcc6e09626c56663616e616c6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x158baf111582b5a1fb3a126781117cd4 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 205 to 10.32.2.39 port 1645 EAP-Message = 0x0109004b19001703010040640c0cb308474b42ecc083db0b3f47c66731a31c01801dde9b162f50d5bde13456412ab71e4d7d0e743b50cc42e91bba22dabeb375116f48b625e9691a3d3932 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf4160a33f21f13898255a02243c509d6 Finished request 38. ***************************************************** 2) WLC - RADIUS ***************************************************** rad_recv: Access-Request packet from host 10.32.2.81 port 32768, id=119, length=280 User-Name = "fcanales" Calling-Station-Id = "58-94-6b-0d-e8-6c" Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051" NAS-IP-Address = 10.32.2.81 NAS-Identifier = "Iplan_wcs" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "60" EAP-Message = 0x0208002b190017030100200c857843d879e361aad79c8a2dccee6de8b04225d90b753a81b636a8090f0193 State = 0xcb0bb3aace03aab2864a9aacb255d323 Message-Authenticator = 0x62ca91e9e88fbba794e6e51db7aa67ec +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "fcanales", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 43 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Identity - fcanales [peap] Got tunneled request EAP-Message = 0x0208000d016663616e616c6573 server { PEAP: Got tunneled identity of fcanales PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to fcanales Sending tunneled request EAP-Message = 0x0208000d016663616e616c6573 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "fcanales" Calling-Station-Id = "58-94-6b-0d-e8-6c" Called-Station-Id = "30-37-a6-4b-9f-90:IReconquista" NAS-Port = 1 Cisco-AVPair = "audit-session-id=0a2002510000000f4eaaf051" NAS-IP-Address = 10.32.2.81 NAS-Identifier = "Iplan_wcs" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "60" server inner-tunnel { +- entering group authorize {...} ++[preprocess] returns ok ++? if (!Huntgroup-Name) ? Evaluating !(Huntgroup-Name) -> TRUE ++? if (!Huntgroup-Name) -> TRUE ++- entering if (!Huntgroup-Name) {...} +++[reply] returns ok ++- if (!Huntgroup-Name) returns ok ++? if (Huntgroup-Name == "list") (Attribute Huntgroup-Name was not found) ++[chap] returns noop ++[mschap] returns noop ++[unix] returns updated [suffix] No '@' in User-Name = "fcanales", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for fcanales [ldap] expand: (uid=%u) -> (uid=fcanales) [ldap] expand: dc=iplan,dc=com,dc=ar -> dc=iplan,dc=com,dc=ar rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in dc=iplan,dc=com,dc=ar, with filter (uid=fcanales) [ldap] looking for check items in directory... rlm_ldap: sambaNtPassword -> NT-Password == 0x3441313536383141373845384430414446424135364139373343343736374646 rlm_ldap: sambaLmPassword -> LM-Password == 0x4446323634314431373041414432333739433530313441453437313841374545 [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user fcanales authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Normalizing NT-Password from hex encoding [pap] Normalizing LM-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "249" EAP-Message = 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xab42e29bab4bf81ef23bc50dea94c334 [peap] Got tunneled reply RADIUS code 11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "249" EAP-Message = 0x010900221a0109001d10cc9cc5bb2b5812cf48051342472ad3af6663616e616c6573 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xab42e29bab4bf81ef23bc50dea94c334 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 119 to 10.32.2.81 port 32768 EAP-Message = 0x0109004b1900170301004075cf3c75c7a8311c01bc5581aac330e49586ce6e0001e8add345d7773aeeacba61b235c462fe0966e565d9e6279f111bf94fa3d8a4bff8a4ce82ab24d65f9c31 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcb0bb3aacd02aab2864a9aacb255d323 Finished request 48. Going to the next request Waking up in 4.9 seconds. ***************************************************** Thanks for all. -- -- Silvero Martin
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html