(RADIATOR) 802.1x and vlan assignment

Hugh Irvine hugh at open.com.au
Sat Sep 13 02:25:51 CDT 2003


Hello -

You should check your Radiator dictionary to make sure the attributes 
you are using are defined (they are in the standard Radiator 3.6 
dictionary).

The trace debug doesn't show the reply attributes at all, so I suspect 
there is a problem with the database response.

regards

Hugh


On Friday, Sep 12, 2003, at 23:19 Australia/Melbourne, Dordaneh Arangeh 
wrote:

> Hello everybody,
> I have configured the cfg file for radiator for authenticating with
> eap-peap. Furthermore I have added a part under auth PLsql, so as the
> radiator sends three attributes (Vlan identity) to the client. cfg file
> is included at the end of the message.  The client is a Windows2000 one
> and the authentication part of its LAN connection is configured to use
> EAP-PEAP. When the PC is connected to the Switch (which is naturally
> configured for 802.1x) , it sends access request to the radiator and
> every thing is fine. Client is authenticated.
> Problems:
>
> 1. The vlan assignment doesn't work. Three attributes which are defined
> to be returned by radiator (Tunnel-Type = VLAN , Tunnel-Medium-Type =
> 802 ,Tunnel-Private-Group-ID = xxxxxxx) , are not returned. Instead of
> these attributes I see in the trace following strings: (xxxxxx is what 
> I
> put for the sake of having shorter email!!)
>
> ..........
> Code:       Access-Accept
> Identifier: 235
> Authentic:  <3>&<10><190><4><1><3><203><10><23>%e%<128><9><199>
> Attributes:
>         MS-MPPE-Send-Key = "xxxxxxxx"
>         MS-MPPE-Recv-Key = xxxxxxxxxx
>        EAP-Message = <3><10><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> ..................
>
> So the vlan assignment is not done.
>
> 2. The windows in the client side is saving the username and password
> somewhere and one can not change it any more . It means I can not try
> with any other username !!
>
> 3. Client is sending priodically an access request with a very funny
> username which I never anywhere configured. Some thing like:
>  User-Name = "azbycx" and then starts for Access chanllenge and remains
> there, neither reject nor accept.
>
>
> Thanking you in advance for helps and tips.
>
> Dordaneh
> --------------------------------------------
> cfg File
> --------------------------------------------
> Foreground
> LogStdout
> LogDir          .
> DbDir            .
> Trace           4
> <Client DEFAULT>
>         Secret  xxxxxxx
>         DupInterval 0
> </Client>
> <Handler TunnelledByPEAP=1>
> <AuthBy PLSQL>
>         NoDefault
>         DBSource        dbi:Oracle:xx.xxxx
>         DBUxsername      xxxx
>         DBAuth          xxxx
>
>         # Authentication
>         AuthBlock       BEGIN \
>                            NETngRadius.getUserData
> ('%n',:passwd,:reply_item);\
>                         END;
>
>
>         AuthParamDef    :passwd,        User-Password,  check
>         AuthParamDef    :reply_item,    GENERIC,        reply
>         </AuthBy>
> </Handler>
>
> <Handler>
> <AuthBy PLSQL>
>         NoDefault
>         DBSource        dbi:Oracle:xx.xxxxx
>         DBUsername      xxxxx
>         DBAuth          xxxxx
>
>         # Authentication
>         AuthBlock       BEGIN \
>                            NETngRadius.getUserData
> ('%n',:passwd,:reply_item);\
>                         END;
>
>         AuthParamDef    :passwd,        User-Password,  check
>         AuthParamDef    :reply_item,    GENERIC,        reply
>                 EAPType PEAP
>                 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>                 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>                 EAPTLS_CertificateType PEM
>                 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>                 EAPTLS_PrivateKeyPassword whatever
>                 EAPTLS_MaxFragmentSize 1024
>                AutoMPPEKeys
>
>                 SSLeayTrace 4
>         </AuthBy>
> </Handler>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list