(RADIATOR) Dynamic VLAN Example for HP 420 v2.0.34(Accton Reference Design - Binary VLAN Bug)

Terry Simons galimore at mac.com
Thu Jun 3 23:27:16 CDT 2004 

Hi Jon,

I've managed to get my HP 420 to do dynamic VLANs with Radiator (local 
authentication).

Attached is an example configuration for Radiator that works with local 
PEAP and TTLS users with 802.1X and Dynamic VLANs.

Also attached is my example users file, so you can see what is needed 
on the Radiator side to set up a local account with VLAN assignment.

You mentioned that you are trying to proxy to a server that does *NOT* 
support EAP.  That should be ok, as long as you can pass back the 
Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID pairs 
correctly.

Tunnel-Type = VLAN (VLAN should map to 13 in your dictionary)

Tunnel-Medium-Type=Ether_802 (Ether_802 should map to 6 in your 
dictionary, some online docs will claim that this should be "802" but I 
think 802 is supposed to map to 6 in the dictionary).

Tunnel-Private-Group-ID=1234 (Where 1234 is the VLAN that you are 
trying to stick the user in.)

My recommendation for you is to try getting my example files working 
local with Radiator first, because that should be enough to test your 
APs for the functionality.

In the attached configuration, you will notice the "PostAuthHook" 
callout that calls my script.  You need to go into 
goodies/vlanhooks.txt and copy the appropriate section into a  file, 
and change the hook to point at that file.

In goodies/vlanhooks.txt, there are two hooks.  One is for local 
accounts (PostAuthHook) and one is for proxied accounts.  The reason 
for this is that Radiator handles things differently in the case of 
Proxy or Local authentication, but the script portions are *almost* 
identical.

If you're not running Radiator on a server that you can use perl on, 
you won't be able to use the scripts, but you don't need the scripts 
for well-behaving APs and switches that follow RFC 3580 correctly.  :-)

To actually test a proxied connection, you need to copy the appropriate 
section out of the vlanhooks.txt file, and create a ReplyHook 
file:"/path/to/script" declaration inside your <AuthBy RADIUS> handler.

If you are just testing local authentications, you only need to put the 
PostAuthHook in your TunnelledByTTLS or TunnelledByPEAP handlers.

Hope that helps! ;-)

I will be posting my findings on the web at:

http://wireless.utah.edu

for those post-post archive lurkers that might stumble upon this 
message. ;-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius-vlan-hp420-example.cfg
Type: application/octet-stream
Size: 1476 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040603/2b8e221c/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius-vlan-hp420-users-example
Type: application/octet-stream
Size: 246 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20040603/2b8e221c/attachment-0001.obj>

More information about the radiator mailing list