Hi,
I'm in the process of attempting to move our 802.1x services off of an aging
freeRADIUS (v1) server onto a newly built server running freeRADIUS v2.2
Tests so far with wireless clients using 802.1x PEAP/MS-CHAPv2 are working ok.
Clients can authenticate (against AD) and be assigned the different vlans that
I want them to be assigned. So the authentication, AD interaction & vlan
assignment are all working as should be there.
However, we also use wired 802.1x on some of our HP 5406 switches. This
currently works fine with the existing old freeRADIUS server, so the actual
switch configs (I've tested more than one) must be ok. But I cannot get the
switches to use the assigned vlan that the clients (who again use
PEAP/MS-CHAPv2) are given with the new freeRADIUS server. I've not changed the
vlans that are to be used, the only change is the switch now points to the new
RADIUS server.
Running radiusd -X shows that the correct attributes are still being supplied
early on in the authenticate process:
"Sending Access-Challenge of id 123 to x.x.x.x port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "resnet"
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe74e7176e74c686cb9198540381901eb"
Note I've also tried the vlan id number as well as the name (although the name
works fine in the old server, so should be fine here). Plus I've tried using
Egress-VLANID or Egress-VLAN-Name, but it made no difference. Lastly, for
testing purposes, if I insert the required attributes into the default
post-auth then it all works and the wired client is assigned the correct vlan,
so again the switch side must be ok and I also therefore presume all the
dictionary entries are there as required. But I shouldn't need (or want) to do
this.
i.e. in post-auth
update reply {
Tunnel-Type := "VLAN"
Tunnel-Medium-Type := "IEEE-802"
Tunnel-Private-Group-ID := "resnet"
}
It's as though the attributes are being removed or ignored somewhere in the
PEAP/inner-tunnel process (but that's just a guess).
What am I just not getting here? I'm sure it must be something simple but I
can't see it.
Hopefully this sort of thing has been done enough times that someone out there
has fallen into whatever trap I currently find myself in and can point me in
the right direction I need to be looking. But if not, I can of course supply
the output of radiusd -X and the switch debug if it's going to help any.
Thanks in advance,
Colin
The University of Aberdeen is a charity registered in Scotland, No SC013683.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
