(RADIATOR) VLANs ? Anyone got this working ?!

Wed Jun 2 12:46:20 CDT 2004

Hi again Jon,

On Jun 2, 2004, at 2:30 AM, Dunster, Jon wrote:

> What I'm trying to do :-
>
> WiFi clients using 802.1x talk through a VLAN enabled access point to
> radiator.  Radiator configured for several sources of authentication.
> Dependant on which of the sources of authentication succeed an 
> attribute is
> returned to the access point to set the WiFi client to an appropriate 
> VLAN.
>
> Problems I have so far :-
>
> - It doesn't appear that Radiator can return attributes for the 
> 'inner' user
> (ie. the one you actually want!)

Radiator can do what you want.

What EAP type are you using?  (I'd wager TTLS or PEAP since you're 
using a tunnled-type.)

We had a couple of demos set up at Interop that would assign a VLAN 
based on username, and Radiator was one of the servers that was used.

> - Tom suggests that my Access Point needs to support 'dynamic vlans' 
> to be
> able to reassign the client to the appropriate vlan.

Definitely.  The AP 2000 isn't going to cut it for that.

> - I've configured Radiator so that the inner request is forwarded to 
> another
> (non EAP capable) radius server but it only sees 'anonymous'

It doesn't sound like you have things configured correctly.  ;-)

You need to set up a TunnelledByTTLS or TunnelledByPEAP handler in 
order to get the desired functionality.

Here's an example TunnelledByPEAP handler:

<Handler TunnelledByPEAP=1>

    RewriteUsername s/^([^@]+).*/$1/

         <AuthBy FILE>
                 RewriteUsername s/^([^@]+).*/$1/

                 Filename %D/users
                 EAPType MSCHAP-V2
         </AuthBy>
</Handler>

In this handler, use an AuthBy RADIUS to forward the inner type to 
another server.

I think you'll also need to use:
EAPAnonymous                    %0

In your default handler.

>
> So has anyone got this kind of thing already functioning (please 
> describe
> what make/revision AP's etc.) or any hints or help.

Certainly.

You'll definitely want to check out the Networld + Interop iLabs white 
papers from this year.

The following one is probably most relevant, since it talks about the 
test results and caveats we ran into:

http://www.ilabs.interop.net/LANSec/papers/08_ilab_test_results-LV04.pdf

It specifically talks about the issues with VLAN mappings, and it 
mentions the specific hardware we tested.  (That isn't to say that all 
of the hardware supports Dynamic VLAN tagging, but it should give you 
some idea where to look).

The rest of the papers are located at:

http://www.ilabs.interop.net/details?topic=LANSec

I'm going to go ahead and try to get a Dynamic VLAN demo set up with my 
equipment here, and I'll send my example configurations and notes to 
the list, unless something like that already exists?

- Terry

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.