On Friday 19 July 2013 16:29:57 Arran Cudbard-Bell wrote: > On 19 Jul 2013, at 15:10, Dario Palmisano <dario.palmis...@icgeb.org> wrote: > > On Friday 19 July 2013 15:49:55 Arran Cudbard-Bell wrote: > >> On 19 Jul 2013, at 14:37, Dario Palmisano <dario.palmis...@icgeb.org> wrote: > >>> Hello Everybody, > >>> > >>> I am configuring my freeradius to be integrated in the EDUROAM > >>> federation. It works when the VLAN (as configured in the accesspoint) > >>> is statically assigned. > >>> > >>> Now I would like to implement a "dynamic vlan assignment" on a per user > >>> basis; in this case the Macintosh I am using for test gets > >>> authenticated but is not able to get the ip address frm DHCP (it shows > >>> as > >>> 169.254.120.248), so remaing isolated. > >>> > >>> I carefully followed instructions (regarding the accesspoint and > >>> freeradius) and searched the web for a possible reason, but > >>> unsuccessfully. > >>> > >>> I am not sure the problem is not in the accesspoint configuration (a > >>> CISCO AP1131AG), anyway the accesspoint receives the indication to use > >>> the specified vlan. > >> > >> You want to post the contents of an Access-Accept so we can check you're > >> sending the correct attributes > >> > >> Arran Cudbard-Bell <a.cudba...@freeradius.org> > >> FreeRADIUS Development Team > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > > > > Here you can download the (almost complete) debug log. Near the end I > > added a text to make evident when I disconnected. > > > > http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.p > >hp?lang=en > > For everyone following along at home: > > Sending Access-Accept of id 189 to 172.16.254.45 port 1645 > Tunnel-Type:0 := VLAN > Tunnel-Medium-Type:0 := IEEE-802 > Tunnel-Private-Group-Id:0 := "220" > User-Name = "palmi" > MS-MPPE-Recv-Key = > 0xf308f970d2507771e30d0f1cc87c6d35ab9a6c65b56dfec2141f50273d6045ff > MS-MPPE-Send-Key = > 0xa68961323bdf00916cf8ee1043d99477eeaf6a46de78f1101234e9a8a5faf8e2 > EAP-Message = 0x030a0004 > Message-Authenticator = 0x00000000000000000000000000000000 > > Which looks ok to me. I'm guessing VLAN 220 is actually configured on the > NAS? Some also require you to send back 'Service-Type = Framed-User'. Yes vlan 220 is assigned (statically) to "XXX-WPA" SSID.
If file users contains: palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 218 and I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it does not work. If I connect to SSID XXX-ER (assigned in accesspoint to vlan 218) it works. If file users contains: palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private- Group-ID := 220 if I connect to SSID XXX-ER (assigned in accesspoint to vlan 218), it does not work, if I connect to SSID XXX-WPA (assigned in accesspoint to vlan 220), it works. Modifying users file as suggested: palmi Huntgroup-Name == "WIFI", Simultaneous-Use := 5, ICGEB- Eduroam-Enabled := Yes Service-Type := Framed-User, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-Group-ID := 220 did not change the result. > > Arran Cudbard-Bell <a.cudba...@freeradius.org> > FreeRADIUS Development Team > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html