(RADIATOR) 802.1x and vlan assignment
Paul Dekkers
Paul.Dekkers at surfnet.nl
Mon Sep 15 05:16:20 CDT 2003
Hi,
What kind of switch are you using as authenticator? For example, with a
Cisco CatOS switch the VLAN-ID is not accepted, you need to assign the
VLAN-name instead. (Cisco IOS switches use the ID-numer, as specified in
the RADIUS usage guidelines for 802.1X.)
For the newer Cisco AP1200 AP's, you also need a tag in the attribute -
otherwise the VLAN-ID is not accepted at all and the user gets the
default VLAN instead.
Regards,
Paul
Arangeh, Dordaneh wrote:
>Hello -
>Thanks for your answer.
>With dictionary every thing is fine. I activated a log file for DB to
>see weather it sends the desired attributes or not. DB is sending them,
>it is radiator which is not giving them further to the client. I tested
>my DB by means of radpwtst with all three optins (-mschap -mschap2 and
>-eapmd5). In all three cases , three attributes are sent correctly.
>Unfortunately I have no opting to test the thing with radpwtst and peap
>because there is no possibility to check radpwtst with peap and peap is
>the only option one can use for 802.1x authentication, or am I wrong in
>this? Please correct me if it is so.
>Any further tip, what the 802.1x authentication problem could be?
>
>Thanking you in advance
>
>-----Original Message-----
>From: Hugh Irvine [mailto:hugh at open.com.au]
>Sent: Samstag, 13. September 2003 09:26
>To: Arangeh, Dordaneh
>Cc: radiator at open.com.au
>Subject: Re: (RADIATOR) 802.1x and vlan assignment
>
>
>Hello -
>
>You should check your Radiator dictionary to make sure the attributes
>you are using are defined (they are in the standard Radiator 3.6
>dictionary).
>
>The trace debug doesn't show the reply attributes at all, so I suspect
>there is a problem with the database response.
>
>regards
>
>Hugh
>
>
>On Friday, Sep 12, 2003, at 23:19 Australia/Melbourne, Dordaneh Arangeh
>wrote:
>
>
>
>>Hello everybody,
>>I have configured the cfg file for radiator for authenticating with
>>eap-peap. Furthermore I have added a part under auth PLsql, so as the
>>radiator sends three attributes (Vlan identity) to the client. cfg
>>
>>
>file
>
>
>>is included at the end of the message. The client is a Windows2000
>>
>>
>one
>
>
>>and the authentication part of its LAN connection is configured to use
>>EAP-PEAP. When the PC is connected to the Switch (which is naturally
>>configured for 802.1x) , it sends access request to the radiator and
>>every thing is fine. Client is authenticated.
>>Problems:
>>
>>1. The vlan assignment doesn't work. Three attributes which are
>>
>>
>defined
>
>
>>to be returned by radiator (Tunnel-Type = VLAN , Tunnel-Medium-Type =
>>802 ,Tunnel-Private-Group-ID = xxxxxxx) , are not returned. Instead of
>>these attributes I see in the trace following strings: (xxxxxx is what
>>
>>
>
>
>
>>I
>>put for the sake of having shorter email!!)
>>
>>..........
>>Code: Access-Accept
>>Identifier: 235
>>Authentic: <3>&<10><190><4><1><3><203><10><23>%e%<128><9><199>
>>Attributes:
>> MS-MPPE-Send-Key = "xxxxxxxx"
>> MS-MPPE-Recv-Key = xxxxxxxxxx
>> EAP-Message = <3><10><0><4>
>> Message-Authenticator =
>><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>..................
>>
>>So the vlan assignment is not done.
>>
>>2. The windows in the client side is saving the username and password
>>somewhere and one can not change it any more . It means I can not try
>>with any other username !!
>>
>>3. Client is sending priodically an access request with a very funny
>>username which I never anywhere configured. Some thing like:
>> User-Name = "azbycx" and then starts for Access chanllenge and
>>
>>
>remains
>
>
>>there, neither reject nor accept.
>>
>>
>>Thanking you in advance for helps and tips.
>>
>>Dordaneh
>>--------------------------------------------
>>cfg File
>>--------------------------------------------
>>Foreground
>>LogStdout
>>LogDir .
>>DbDir .
>>Trace 4
>><Client DEFAULT>
>> Secret xxxxxxx
>> DupInterval 0
>></Client>
>><Handler TunnelledByPEAP=1>
>><AuthBy PLSQL>
>> NoDefault
>> DBSource dbi:Oracle:xx.xxxx
>> DBUxsername xxxx
>> DBAuth xxxx
>>
>> # Authentication
>> AuthBlock BEGIN \
>> NETngRadius.getUserData
>>('%n',:passwd,:reply_item);\
>> END;
>>
>>
>> AuthParamDef :passwd, User-Password, check
>> AuthParamDef :reply_item, GENERIC, reply
>> </AuthBy>
>></Handler>
>>
>><Handler>
>><AuthBy PLSQL>
>> NoDefault
>> DBSource dbi:Oracle:xx.xxxxx
>> DBUsername xxxxx
>> DBAuth xxxxx
>>
>> # Authentication
>> AuthBlock BEGIN \
>> NETngRadius.getUserData
>>('%n',:passwd,:reply_item);\
>> END;
>>
>> AuthParamDef :passwd, User-Password, check
>> AuthParamDef :reply_item, GENERIC, reply
>> EAPType PEAP
>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>> EAPTLS_MaxFragmentSize 1024
>> AutoMPPEKeys
>>
>> SSLeayTrace 4
>> </AuthBy>
>></Handler>
>>
>>
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on radiator-announce at open.com.au
>>To unsubscribe, email 'majordomo at open.com.au' with
>>'unsubscribe radiator' in the body of the message.
>>
>>
>>
>>
>
>NB: have you included a copy of your configuration file (no secrets),
>together with a trace 4 debug showing what is happening?
>
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list