Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

[Sami Keski-Kasari]

Hello Roberto,

The RFC2868 defines that tunnel attributes includes Tag field before
value. Some NASes are needing that it is defined and some not.

Try for example with

mikem2  User-Password=fred
        Service-Type = Framed-User,
        Tunnel-Private-Group-ID = 0:<vlan-id>,
        Tunnel-Medium-Type = 0:802,
        Tunnel-Type = 0:VLAN

or
mikem2  User-Password=fred
        Service-Type = Framed-User,
        Tunnel-Private-Group-ID = 1:<vlan-id>,
        Tunnel-Medium-Type = 1:802,
        Tunnel-Type = 1:VLAN


Best Regards,
 Sami

On 03/26/2014 08:16 PM, Roberto Pantoja wrote:
> Thank you for your promptly answer, but I have the same effect if I put
> the VLAN name or numeric ID. Do you have any other idea that can help me
> to resolve this problem.
> 
> Best regards.
> 
> On 03/26/2014 11:37 AM, Hartmaier Alexander wrote:
>> On 2014-03-26 18:40, Roberto Pantoja wrote:
>>> I have a problem trying to assign dynamic VLANs to users on a 
>>> WPA2-Enterprise configuration. Users have successful authentication
>>> and if I don't send the Radius Attribute "Tunnel-Private-Group-ID"
>>> The Wireless Controller connects me to the default VLan for the SSID,
>>> but when I send "Tunnel-Private-Group-ID", the Wireless Controller
>>> simply drops out my connection. The Wireless controller documentation
>>> says the required attributes in the Access-Accept Reply are
>>> "Tunnel-Type=VLAN, Tunnel-Medium-Type=802,
>>> Tunnel-Private-Group-ID=<Name of VLAN>".  Everything works fine using
>>> Ignition Server (Avaya's Radius Server). But on product's
>>> documentation says WC8180 comply with RFC Standards and mentions to
>>> be "compatible and validated" with freeradius and Microsoft IAS, so I
>>> think my case is a configuration issue.
>>>
>>> Regards.
>>>
>>> Radiator Version: 4.12.1
>>> Wireless Controller: AVAYA WC8180
>>> Wireless Access Points: AVAYA AP8120
>>>
>>> Config file:
>>> *** Config File ***
>>> # radius.cfg
>>>
>>> Foreground
>>> LogStdout
>>> LogDir          /var/log/radius
>>> LogFile         %L/logfile.%Y.%m.%d
>>> DbDir           /etc/radiator
>>> # User a lower trace level in production systems:
>>> Trace           4
>>> AuthPort 1812
>>> AcctPort 1813
>>>
>>> <Client 10.0.30.254>
>>>         Secret verysecret
>>>         PacketTrace
>>>         Identifier Avaya WC8180
>>> </Client>
>>>
>>> <Handler TunnelledByPEAP=1>
>>>         <AuthBy FILE>
>>>                 Filename %D/users
>>>                 EAPType MSCHAP-V2
>>>         </AuthBy>
>>> </Handler>
>>>
>>> <Handler>
>>>         <AuthBy FILE>
>>>                 Filename %D/users
>>>                 EAPType PEAP
>>>                 EAPTLS_CAFile %D/certificates/cacert.pem
>>> #               EAPTLS_CAPath
>>>                 EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
>>>                 EAPTLS_CertificateType PEM
>>>                 EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
>>>                 EAPTLS_PrivateKeyPassword verysecret
>>> #               EAPTLS_RandomFile %D/certificates/random
>>>                 EAPTLS_MaxFragmentSize 1024
>>> #               EAPTLS_DHFile %D/certificates/cert/dh
>>>                 #EAPTLS_CRLCheck
>>>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>>>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>>>                 AutoMPPEKeys
>>>                 #EAPTLS_SessionResumption 0
>>>                 #EAPTLS_SessionResumptionLimit 10
>>>                 ####EAPAnonymous anonymous@localhost
>>>                 EAPTLS_PEAPVersion 0
>>>                 EAPTTLS_NoAckRequired
>>>         </AuthBy>
>>> </Handler>
>>> *** EOF Config File ***
>>>
>>>
>>> Users file:
>>> mikem user without VLAN default VLAN - Quarantine - no IP address
>>> mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24
>>> mikem2 user with VLAN ATI - IP address range 10.0.19.0/24
>>> *** Users file ***
>>> # users
>>> # This is an example of how to set up simple user for
>>> # AuthBy FILE.
>>> # The example user mikem has a password of fred, and will
>>> # receive reply attributes suitable for most NASs.
>>> # You can do many more interesting things. See the Radiator reference
>>> # manual for more details
>>> #
>>> # You can test this user with the command
>>> #  perl radpwtst
>>>
>>> mikem   User-Password=fred
>>>         Service-Type = Framed-User,
>>>         Tunnel-Medium-Type = 802,
>>>         Tunnel-Type = VLAN
>>>
>>> mikem1  User-Password=fred
>>>         Service-Type = Framed-User,
>>>         Tunnel-Private-Group-ID = Empleados,
>>>         Tunnel-Medium-Type = 802,
>>>         Tunnel-Type = VLAN
>>>
>>> mikem2  User-Password=fred
>>>         Service-Type = Framed-User,
>>>         Tunnel-Private-Group-ID = ATI,
>>>         Tunnel-Medium-Type = 802,
>>>         Tunnel-Type = VLAN
>>>
>>> *** EOF users file ***
>>
>> We're doing that with Cisco WLCs without problems but in our case by
>> sending the VLAN ID, not its name like for wired dot1x where Cisco IOS
>> switches want the VLAN name:
>>
>> AddToReply Tunnel-Type=VLAN,\
>>                Tunnel-Medium-Type=802, \
>>                Tunnel-Private-Group-ID=123
>>
>>> -- 
>>> ---------------------------------------
>>> Roberto Carlos Pantoja Valdizón
>>> Analista de Sistemas
>>> ATI/GDEI/LaGeo
>>>
>>>
>>> This message has been scanned for malware by Websense.
>>> www.websense.com <http://www.websense.com/>
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may
>> be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>>
>> Click here
>> <https://www.mailcontrol.com/sr/X7j9AwsBAS3GX2PQPOmvUmkxeMeR4%21FmwYL%21b%21gsSiAI7lo7et4NX6Fo9FCU0sXr2U9s6bVQO2bgE3KctAewCA==>
>> to report this email as spam.
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Sami Keski-Kasari <sam...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator