Re: (RADIATOR) 802.1x and vlan assignment

[Paul Dekkers]

Hi,

What kind of switch are you using as authenticator? For example, with a 
Cisco CatOS switch the VLAN-ID is not accepted, you need to assign the 
VLAN-name instead. (Cisco IOS switches use the ID-numer, as specified in 
the RADIUS usage guidelines for 802.1X.)
For the newer Cisco AP1200 AP's, you also need a tag in the attribute - 
otherwise the VLAN-ID is not accepted at all and the user gets the 
default VLAN instead.

Regards,
Paul
Arangeh, Dordaneh wrote:

Hello -
Thanks for your answer.
With dictionary every thing is fine. I activated a log file for DB to
see weather it sends the desired attributes or not. DB is sending them,
it is radiator which is not giving them further to the client. I tested
my DB by means of radpwtst with all three optins (-mschap -mschap2 and
-eapmd5). In all three cases , three attributes are sent correctly.
Unfortunately I have no opting to test the thing with radpwtst and peap
because there is no possibility to check radpwtst with peap and peap is
the only option one can use for 802.1x authentication, or am I wrong in
this? Please correct me if it is so.
Any further tip, what the 802.1x authentication problem could be?
Thanking you in advance

-----Original Message-----
From: Hugh Irvine [mailto:[EMAIL PROTECTED] 
Sent: Samstag, 13. September 2003 09:26
To: Arangeh, Dordaneh
Cc: [EMAIL PROTECTED]
Subject: Re: (RADIATOR) 802.1x and vlan assignment

Hello -

You should check your Radiator dictionary to make sure the attributes 
you are using are defined (they are in the standard Radiator 3.6 
dictionary).

The trace debug doesn't show the reply attributes at all, so I suspect 
there is a problem with the database response.

regards

Hugh

On Friday, Sep 12, 2003, at 23:19 Australia/Melbourne, Dordaneh Arangeh 
wrote:

 

Hello everybody,
I have configured the cfg file for radiator for authenticating with
eap-peap. Furthermore I have added a part under auth PLsql, so as the
radiator sends three attributes (Vlan identity) to the client. cfg
   

file
 

is included at the end of the message.  The client is a Windows2000
   

one
 

and the authentication part of its LAN connection is configured to use
EAP-PEAP. When the PC is connected to the Switch (which is naturally
configured for 802.1x) , it sends access request to the radiator and
every thing is fine. Client is authenticated.
Problems:
1. The vlan assignment doesn't work. Three attributes which are
   

defined
 

to be returned by radiator (Tunnel-Type = VLAN , Tunnel-Medium-Type =
802 ,Tunnel-Private-Group-ID = xxxxxxx) , are not returned. Instead of
these attributes I see in the trace following strings: (xxxxxx is what
   

 

I
put for the sake of having shorter email!!)
..........
Code:       Access-Accept
Identifier: 235
Authentic:  <3>&<10><190><4><1><3><203><10><23>%e%<128><9><199>
Attributes:
       MS-MPPE-Send-Key = "xxxxxxxx"
       MS-MPPE-Recv-Key = xxxxxxxxxx
      EAP-Message = <3><10><0><4>
       Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
..................

So the vlan assignment is not done.

2. The windows in the client side is saving the username and password
somewhere and one can not change it any more . It means I can not try
with any other username !!
3. Client is sending priodically an access request with a very funny
username which I never anywhere configured. Some thing like:
User-Name = "azbycx" and then starts for Access chanllenge and
   

remains
 

there, neither reject nor accept.

Thanking you in advance for helps and tips.

Dordaneh
--------------------------------------------
cfg File
--------------------------------------------
Foreground
LogStdout
LogDir          .
DbDir            .
Trace           4
<Client DEFAULT>
       Secret  xxxxxxx
       DupInterval 0
</Client>
<Handler TunnelledByPEAP=1>
<AuthBy PLSQL>
       NoDefault
       DBSource        dbi:Oracle:xx.xxxx
       DBUxsername      xxxx
       DBAuth          xxxx
       # Authentication
       AuthBlock       BEGIN \
                          NETngRadius.getUserData
('%n',:passwd,:reply_item);\
                       END;
       AuthParamDef    :passwd,        User-Password,  check
       AuthParamDef    :reply_item,    GENERIC,        reply
       </AuthBy>
</Handler>
<Handler>
<AuthBy PLSQL>
       NoDefault
       DBSource        dbi:Oracle:xx.xxxxx
       DBUsername      xxxxx
       DBAuth          xxxxx
       # Authentication
       AuthBlock       BEGIN \
                          NETngRadius.getUserData
('%n',:passwd,:reply_item);\
                       END;
       AuthParamDef    :passwd,        User-Password,  check
       AuthParamDef    :reply_item,    GENERIC,        reply
               EAPType PEAP
               EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
               EAPTLS_CertificateFile %D/certificates/cert-srv.pem
               EAPTLS_CertificateType PEM
               EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
               EAPTLS_PrivateKeyPassword whatever
               EAPTLS_MaxFragmentSize 1024
              AutoMPPEKeys
               SSLeayTrace 4
       </AuthBy>
</Handler>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
   

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
 



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.