(RADIATOR) 802.1x and vlan assignment
Arangeh, Dordaneh
dordaneh.arangeh at id.ethz.ch
Mon Sep 15 05:37:46 CDT 2003
Hi Paul,
We use CatOS4006 and I am aware about the type of attribute which switch
accepts. Indeed we have tested this switch with ACS software of Cisco
and it works well. Now we are trying to get the same result with
Radiator and so far no success.
Regards
Dordaneh
-----Original Message-----
From: Paul Dekkers [mailto:Paul.Dekkers at surfnet.nl]
Sent: Montag, 15. September 2003 12:16
To: Arangeh, Dordaneh
Cc: Hugh Irvine; radiator at open.com.au
Subject: Re: (RADIATOR) 802.1x and vlan assignment
Hi,
What kind of switch are you using as authenticator? For example, with a
Cisco CatOS switch the VLAN-ID is not accepted, you need to assign the
VLAN-name instead. (Cisco IOS switches use the ID-numer, as specified in
the RADIUS usage guidelines for 802.1X.)
For the newer Cisco AP1200 AP's, you also need a tag in the attribute -
otherwise the VLAN-ID is not accepted at all and the user gets the
default VLAN instead.
Regards,
Paul
Arangeh, Dordaneh wrote:
>Hello -
>Thanks for your answer.
>With dictionary every thing is fine. I activated a log file for DB to
>see weather it sends the desired attributes or not. DB is sending them,
>it is radiator which is not giving them further to the client. I tested
>my DB by means of radpwtst with all three optins (-mschap -mschap2 and
>-eapmd5). In all three cases , three attributes are sent correctly.
>Unfortunately I have no opting to test the thing with radpwtst and peap
>because there is no possibility to check radpwtst with peap and peap is
>the only option one can use for 802.1x authentication, or am I wrong in
>this? Please correct me if it is so.
>Any further tip, what the 802.1x authentication problem could be?
>
>Thanking you in advance
>
>-----Original Message-----
>From: Hugh Irvine [mailto:hugh at open.com.au]
>Sent: Samstag, 13. September 2003 09:26
>To: Arangeh, Dordaneh
>Cc: radiator at open.com.au
>Subject: Re: (RADIATOR) 802.1x and vlan assignment
>
>
>Hello -
>
>You should check your Radiator dictionary to make sure the attributes
>you are using are defined (they are in the standard Radiator 3.6
>dictionary).
>
>The trace debug doesn't show the reply attributes at all, so I suspect
>there is a problem with the database response.
>
>regards
>
>Hugh
>
>
>On Friday, Sep 12, 2003, at 23:19 Australia/Melbourne, Dordaneh Arangeh
>wrote:
>
>
>
>>Hello everybody,
>>I have configured the cfg file for radiator for authenticating with
>>eap-peap. Furthermore I have added a part under auth PLsql, so as the
>>radiator sends three attributes (Vlan identity) to the client. cfg
>>
>>
>file
>
>
>>is included at the end of the message. The client is a Windows2000
>>
>>
>one
>
>
>>and the authentication part of its LAN connection is configured to use
>>EAP-PEAP. When the PC is connected to the Switch (which is naturally
>>configured for 802.1x) , it sends access request to the radiator and
>>every thing is fine. Client is authenticated.
>>Problems:
>>
>>1. The vlan assignment doesn't work. Three attributes which are
>>
>>
>defined
>
>
>>to be returned by radiator (Tunnel-Type = VLAN , Tunnel-Medium-Type =
>>802 ,Tunnel-Private-Group-ID = xxxxxxx) , are not returned. Instead of
>>these attributes I see in the trace following strings: (xxxxxx is what
>>
>>
>
>
>
>>I
>>put for the sake of having shorter email!!)
>>
>>..........
>>Code: Access-Accept
>>Identifier: 235
>>Authentic: <3>&<10><190><4><1><3><203><10><23>%e%<128><9><199>
>>Attributes:
>> MS-MPPE-Send-Key = "xxxxxxxx"
>> MS-MPPE-Recv-Key = xxxxxxxxxx
>> EAP-Message = <3><10><0><4>
>> Message-Authenticator =
>><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>>..................
>>
>>So the vlan assignment is not done.
>>
>>2. The windows in the client side is saving the username and password
>>somewhere and one can not change it any more . It means I can not try
>>with any other username !!
>>
>>3. Client is sending priodically an access request with a very funny
>>username which I never anywhere configured. Some thing like:
>> User-Name = "azbycx" and then starts for Access chanllenge and
>>
>>
>remains
>
>
>>there, neither reject nor accept.
>>
>>
>>Thanking you in advance for helps and tips.
>>
>>Dordaneh
>>--------------------------------------------
>>cfg File
>>--------------------------------------------
>>Foreground
>>LogStdout
>>LogDir .
>>DbDir .
>>Trace 4
>><Client DEFAULT>
>> Secret xxxxxxx
>> DupInterval 0
>></Client>
>><Handler TunnelledByPEAP=1>
>><AuthBy PLSQL>
>> NoDefault
>> DBSource dbi:Oracle:xx.xxxx
>> DBUxsername xxxx
>> DBAuth xxxx
>>
>> # Authentication
>> AuthBlock BEGIN \
>> NETngRadius.getUserData
>>('%n',:passwd,:reply_item);\
>> END;
>>
>>
>> AuthParamDef :passwd, User-Password, check
>> AuthParamDef :reply_item, GENERIC, reply
>> </AuthBy>
>></Handler>
>>
>><Handler>
>><AuthBy PLSQL>
>> NoDefault
>> DBSource dbi:Oracle:xx.xxxxx
>> DBUsername xxxxx
>> DBAuth xxxxx
>>
>> # Authentication
>> AuthBlock BEGIN \
>> NETngRadius.getUserData
>>('%n',:passwd,:reply_item);\
>> END;
>>
>> AuthParamDef :passwd, User-Password, check
>> AuthParamDef :reply_item, GENERIC, reply
>> EAPType PEAP
>> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>> EAPTLS_PrivateKeyPassword whatever
>> EAPTLS_MaxFragmentSize 1024
>> AutoMPPEKeys
>>
>> SSLeayTrace 4
>> </AuthBy>
>></Handler>
>>
>>
>>===
>>Archive at http://www.open.com.au/archives/radiator/
>>Announcements on radiator-announce at open.com.au
>>To unsubscribe, email 'majordomo at open.com.au' with
>>'unsubscribe radiator' in the body of the message.
>>
>>
>>
>>
>
>NB: have you included a copy of your configuration file (no secrets),
>together with a trace 4 debug showing what is happening?
>
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list