(RADIATOR) Help understanding handlers to allow a guest vlan fallback on wireless
Hugh Irvine
hugh at open.com.au
Tue Jan 4 16:28:46 CST 2005
Hello Berndt -
Thanks for sending the debug information.
It looks to me like Radiator is returning an access accept with the
correct VLAN attributes.
Is the session starting on the access point (from your mail I think it
is)?
If the session is starting without the correct VLAN you will need to
contact Enterasys to find out how to configure it.
There is quite a bit of discussion on the mailing list, so have a look
at the archive and search on "enterasys".
www.open.com.au/archives/radiator
regards
Hugh
On 5 Jan 2005, at 00:09, Berndt Sevcik wrote:
> We are using at our school also Enterasys Access Points and try to
> configure them dynamically with vlans. But we are using the RoamAbout
> R2. The clients will be authenticated but no vlan assigned. Here is my
> configration:
>
> # Foreground
> LogStdout
> LogDir /var/log/radiator
> LogFile %L/radiator.log
>
> DbDir /etc/radiator
> PidFile /var/run/radiusd.pid
> Trace 4
>
> AuthPort 1645
> AcctPort 1646
>
> <Client 10.3.4.10>
> Secret mysecret
> Identifier IntegerVLANTag
> </Client>
>
> <Handler Client-Identifier = IntegerVLANTag>
> <AuthBy LDAP2>
> Identifier OUTERAuthentication
> EAPType PEAP,TTLS
> EAPTLS_CAFile %D/certificates/cacert.pem
> EAPTLS_CertificateFile %D/certificates/edu-pdc02.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certificates/edu-pdc02.pem
> EAPTLS_PrivateKeyPassword whatever
> EAPTLS_MaxFragmentSize 1000
> AutoMPPEKeys
> RewriteUsername s/(.*)\\(.*)/$2/
> RcryptKey xxxxxx
> Host 10.2.4.22
> AuthDN cn=admin,dc=tgm,dc=ac,dc=at
> AuthPassword xxxxx
> BaseDN dc=tgm,dc=ac,dc=at
> UsernameAttr uid
> PasswordAttr rcryptPassword
> AuthAttrDef radiusAuthType,GENERIC,check
> ReplyAttr radiusReplyItem
> # Debug 255
> </AuthBy>
> PostAuthHook file:"%D/hooks/vlan-ascii-to-binary-postauth"
> </Handler>
>
> When I take a look at the debug output I can see that see additional
> attributes vor VLANs are in the Access Accept Packet.
>
> Tue Jan 4 13:46:33 2005: DEBUG: Handling request with Handler
> 'Client-Identifier = IntegerVLANTag'
> Tue Jan 4 13:46:33 2005: DEBUG: Deleting session for berndt.sevcik,
> 10.3.4.10,
> Tue Jan 4 13:46:33 2005: DEBUG: Handling with Radius::AuthLDAP2:
> LDAPTTLSAuthentication
> Tue Jan 4 13:46:33 2005: INFO: Connecting to 10.2.4.22, port 389
> Tue Jan 4 13:46:33 2005: INFO: Attempting to bind to LDAP server
> 10.2.4.22:389)
> Tue Jan 4 13:46:34 2005: DEBUG: LDAP got result for
> uid=berndt.sevcik,ou=People,ou=admin,dc=tgm,dc=ac,dc=at
> Tue Jan 4 13:46:34 2005: DEBUG: LDAP got rcryptPassword:
> {rcrypt}xxxxxxxxx
> Tue Jan 4 13:46:35 2005: DEBUG: LDAP got radiusReplyItem:
> Tunnel-Medium-Type = Ether_802,Tunnel-Type = VLAN,Tunnel-Private-Group
> =
> 1001
> Tue Jan 4 13:46:35 2005: DEBUG: Radius::AuthLDAP2 looks for match with
> berndt.sevcik
> Tue Jan 4 13:46:36 2005: DEBUG: Radius::AuthLDAP2 ACCEPT:
> Tue Jan 4 13:46:36 2005: DEBUG: ASCII-to-Integer VLAN ID PostAuthHook
> called
> Tue Jan 4 13:46:36 2005: DEBUG: Found untagged ASCII VLAN attribute of
> 1001
> Tue Jan 4 13:46:36 2005: DEBUG: Replacing ASCII vlan tag with �é
> Tue Jan 4 13:46:36 2005: DEBUG: Access accepted for berndt.sevcik
> Tue Jan 4 13:46:36 2005: DEBUG: Returned TTLS tunnelled Diameter
> Packet
> dump:
> Code: Access-Accept
> Identifier: UNDEF
> Authentic: j<31><191><215>1<210>6=<127><29><193><22>V<18>>L
> Attributes:
> MS-CHAP2-Success =
> "pS=323380410D265319D117E9260595827FF7216408"
> MS-MPPE-Send-Key = "<250><254><141>#
> <248><135><238><141><29>q<248><180><202>z&<10><177><23>v<14><137>Q<214>
> <30><4>e<129><229>]<161>6<152><234>"
> MS-MPPE-Recv-Key =
> "<176>dw<208><170><190>T<11>P<167><3>%I<239><140>&<192>X<156><188><148>
> <20><196><235><222>p<198><141>"h<192><133><146><197>"
> Tunnel-Medium-Type = Ether_802
> Tunnel-Type = VLAN
> Tunnel-Private-Group = "<0><0><3><233>"
>
> Tue Jan 4 13:46:36 2005: DEBUG: EAP result: 3, EAP TTLS Inner
> authentication challenged
> Tue Jan 4 13:46:36 2005: DEBUG: Access challenged for berndt.sevcik:
> EAP TTLS Inner authentication challenged
> Tue Jan 4 13:46:36 2005: DEBUG: Packet dump:
> *** Sending to 10.3.4.10 port 1031 ....
> Code: Access-Challenge
> Identifier: 44
> Authentic: ~<10><0><0><214>d<0><0><190><30><0><0><135>a<0><0>
> Attributes:
> EAP-Message =
> <1><7><0><223><21><128><0><0><0><213><23><3><1><0><208><127><192>.p<229
> ><196><11><212><184>u<154><164><206><208>'9<175>B?
> a<169><128><128>5<231><162><209>\<201>XX<23><30><24>5<182><22>%<253>]<1
> 77>W<148><3><127>O<148><18>s<247><180>f<252><173><27>jk+<196><184>w at j<2
> ><30><171>^<173><233>wl<190>?
> (te)<216>,l<27>m<193><251>_<241>L<212><185>w<216>Y(<155><227><0>tM<213>
> <209><150>E<197>G<10><209><171><5><196>4<199><127><215>`<17>(<143>f}X<2
> 26><171><167>-F<146><218><133>?
> <203><146>z<153><2><0><18><228><161><193><203><146>F<22><9>mGu<188><227
> ><202><165><229><18><192><173><<149>:
> 7#<151>G<231><153><226>i<211><14>m`r<240><1><0>_,g<201><213><189><15><2
> 13>1\<215>\<209><8>?-
> <158><215>1<236><238><139>+<219><249><6><27><3><151>[<27>~<153><135>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> Tue Jan 4 13:46:36 2005: DEBUG: Packet dump:
> *** Received from 10.3.4.10 port 1031 ....
> Code: Access-Request
> Identifier: 45
> Authentic: <7>q<0><0><154><30><0><0><138><23><0><0><255>8<0><0>
> Attributes:
> Message-Authenticator =
> <21><242><235>f<132>_Dr<173><151><187><162><<141>Z<174>
> User-Name = "berndt.sevcik"
> State = ""
> NAS-IP-Address = 10.3.4.10
> NAS-Port = 2
> NAS-Port-Type = Wireless-IEEE-802-11
> Calling-Station-Id = "00-0d-93-89-cc-6f"
> Framed-MTU = 1000
> EAP-Message = <2><7><0><6><21><0>
>
> Tue Jan 4 13:46:36 2005: DEBUG: Handling request with Handler
> 'Client-Identifier = IntegerVLANTag'
> Tue Jan 4 13:46:36 2005: DEBUG: Deleting session for berndt.sevcik,
> 10.3.4.10, 2
> Tue Jan 4 13:46:36 2005: DEBUG: Handling with Radius::AuthLDAP2:
> LDAPTTLSAuthentication
> Tue Jan 4 13:46:36 2005: DEBUG: Handling with EAP: code 2, 7, 6
> Tue Jan 4 13:46:36 2005: DEBUG: Response type 21
> Tue Jan 4 13:46:36 2005: DEBUG: EAP result: 0,
> Tue Jan 4 13:46:36 2005: DEBUG: ASCII-to-Integer VLAN ID PostAuthHook
> called
> Tue Jan 4 13:46:36 2005: DEBUG: Found untagged ASCII VLAN attribute of
> Tue Jan 4 13:46:36 2005: DEBUG: Replacing ASCII vlan tag with
> Tue Jan 4 13:46:36 2005: DEBUG: Access accepted for berndt.sevcik
> Tue Jan 4 13:46:37 2005: DEBUG: Packet dump:
> *** Sending to 10.3.4.10 port 1031 ....
> Code: Access-Accept
> Identifier: 45
> Authentic: <7>q<0><0><154><30><0><0><138><23><0><0><255>8<0><0>
> Attributes:
> MS-MPPE-Send-Key =
> "<170>t<16>X|<29><30><19><212>U<200>N<221><158><183><210><214><192><24>
> {<185><216><232>8<207><13><209><212><200><3><241><28>\<195><202>wC
> <252><179><229><254><199>K<161><22><159><208>c7"
> MS-MPPE-Recv-Key =
> "<139><18>fQ<142><166>;%<183>}<158><25>[Y<133><3><169>
> <142>'<0><185>'<179><221><147><242><140>a<156><181><195><148><157>~<25>
> 7M<206><215><222>oP<232>G<135>f<22>e7"
> EAP-Message = <3><7><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Tunnel-Private-Group = "<0><0><0><0>"
>
> Has someone a working configuration or some hints for me?
>
> Thanks in advance.
> Berndt
>
> Am Don, den 02.12.2004 schrieb doc at dcclrt.co.uk um 20:05:
>> Hi Hugh,
>>
>> Thanks for this information it has helped a great deal.
>> I am having to raise a support call to Enterasys regarding the AP. It
>> does
>> support VLAN tagging and Radiator output is certainly adding the
>> attributes
>> but the logging on the AP is somewhat pathetic and the vlan tagging
>> not
>> issued to the client. If anyone has this working with Enterasys
>> Roamabout
>> AP's I would be greatful to hear from you. If not i'll report back
>> with my
>> findings from Enterasys support.
>>
>> Regards
>> Dave
>>
>> ----- Original Message -----
>> From: "Hugh Irvine" <hugh at open.com.au>
>> To: <doc at dcclrt.co.uk>
>> Cc: <radiator at open.com.au>
>> Sent: Wednesday, December 01, 2004 9:33 PM
>> Subject: Re: (RADIATOR) Help understanding handlers to allow a guest
>> vlan
>> fallback on wireless
>>
>>
>>>
>>> Hello -
>>>
>>> Something like this:
>>>
>>> <Client 1.1.1.1>
>>> Identifier Site1
>>> .....
>>> </Client>
>>>
>>> <Client 1.1.1.2>
>>> Identifier Site1
>>> .....
>>> </Client>
>>>
>>> <Client 2.2.2.1>
>>> Identifier Site2
>>> .....
>>> </Client>
>>>
>>> <Client 2.2.2.2>
>>> Identifier Site2
>>> .....
>>> </Client>
>>>
>>> <Client 3.3.3.1>
>>> Identifier Site3
>>> .....
>>> </Client>
>>>
>>> ......
>>>
>>> <Handler Client-Identifier = Site1>
>>>
>>> AuthByPolicy ContinueUntilAccept
>>>
>>> <AuthBy LDAP2>
>>> .....
>>> # vlan attributes for Site1
>>> AddToReply .....
>>> .....
>>> </AuthBy>
>>>
>>> <AuthBy INTERNAL>
>>> DefaultResult ACCEPT
>>> # default guest vlan attributes
>>> AddToReply .....
>>> .....
>>> </AuthBy>
>>>
>>> </Handler>
>>>
>>> <Handler Client-Identifier = Site2>
>>>
>>> AuthByPolicy ContinueUntilAccept
>>>
>>> <AuthBy LDAP2>
>>> .....
>>> # vlan attributes for Site2
>>> AddToReply .....
>>> .....
>>> </AuthBy>
>>>
>>> <AuthBy INTERNAL>
>>> DefaultResult ACCEPT
>>> # default guest vlan attributes
>>> AddToReply .....
>>> .....
>>> </AuthBy>
>>>
>>> </Handler>
>>>
>>> <Handler Client-Identifier = Site3>
>>>
>>> AuthByPolicy ContinueUntilAccept
>>>
>>> <AuthBy LDAP2>
>>> .....
>>> # vlan attributes for Site3
>>> AddToReply .....
>>> .....
>>> </AuthBy>
>>>
>>> <AuthBy INTERNAL>
>>> DefaultResult ACCEPT
>>> # default guest vlan attributes
>>> AddToReply .....
>>> .....
>>> </AuthBy>
>>>
>>> </Handler>
>>>
>>> .....
>>>
>>>
>>> I don't know the exact syntax for your particular equipment, but you
>>> should check a trace 4 debug from Radiator to verify exactly what is
>>> being
>>> sent, then check what the AP thinks it is doing. Obviously if the AP
>>> does
>>> not support what you are trying to do there isn't much Radiator can
>>> do
>>> about it.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 2 Dec 2004, at 08:14, doc at dcclrt.co.uk wrote:
>>>
>>>> Hi,
>>>>
>>>> Our users do not have set vlan parameters in the users record within
>>>> Novell Directory Services because we want them to be able to roam
>>>> from
>>>> site to site where each site uses a different vlan and does not
>>>> cross
>>>> sites. In order to successfully configure a default fallback vlan
>>>> based
>>>> on my config shown, could you possibly give me a complete config
>>>> that
>>>> would work please. This might give me a better understanding as to
>>>> how
>>>> the information you gave me before actually fits together in the
>>>> config
>>>> file properly. Sorry if this sounds dumb but I dont quite get it
>>>> yet. :(
>>>>
>>>> In the config file I have I did add AddToReply attributes but I'm
>>>> not
>>>> convinced my AP's were assigning the vlan correctly.
>>>> The AP documentation says to use:-
>>>> AddToReply Tunnel-Type = VLAN
>>>> Tunnel-Medium-Type = Ether_802
>>>> Tunnel-Private-Group = VLANID
>>>>
>>>> but when I look at he station status on the AP there is no VLAN ID
>>>> associated with the connected clients.
>>>>
>>>> Regards
>>>>
>>>> Dave
>>>>
>>>>
>>>>
>>>> ----- Original Message ----- From: "Hugh Irvine" <hugh at open.com.au>
>>>> To: <doc at dcclrt.co.uk>
>>>> Cc: <radiator at open.com.au>
>>>> Sent: Wednesday, December 01, 2004 8:45 PM
>>>> Subject: Re: (RADIATOR) Help understanding handlers to allow a
>>>> guest vlan
>>>> fallback on wireless
>>>>
>>>>
>>>>
>>>> Hello -
>>>>
>>>> Normally you would have the correct vlan for a user stored in
>>>> his/her
>>>> user record and you would return it from the LDAP search.
>>>>
>>>> If all users have the same vlan, then you can use AddToReply in the
>>>> AuthBy LDAP2 clause, with an additional AuthBy INTERNAL clause with
>>>> a
>>>> different AddToReply for guests.
>>>>
>>>> Something like this:
>>>>
>>>> AuthByPolicy ContinueUntilAccept
>>>>
>>>> <AuthBy LDAP2>
>>>> .....
>>>> # vlan attributes
>>>> AddToReply .....
>>>> .....
>>>> </AuthBy>
>>>>
>>>> <AuthBy INTERNAL>
>>>> DefaultResult ACCEPT
>>>> # default guest vlan attributes
>>>> AddToReply .....
>>>> .....
>>>> </AuthBy>
>>>>
>>>> regards
>>>>
>>>> Hugh
>>>>
>>>>
>>>> On 2 Dec 2004, at 05:01, doc at dcclrt.co.uk wrote:
>>>>
>>>>> Hi Everyone.
>>>>>
>>>>> I'm using Enterasys Roamabout 3000 AP to authenticate users via
>>>>> radiator.
>>>>> Radiator is configured to LDAP to NDS which is working
>>>>> successfully with
>>>>> the current configuration.
>>>>> I have many different sites that are on different VLAN's where
>>>>> wireless
>>>>> users will need to authenticate.
>>>>> Failing authentication we want to have a default guest vlan
>>>>> assigned
>>>>> whereby the user can then download the client needed to for 802.1x
>>>>> authentication.
>>>>>
>>>>> I just do not know the correct way to go about this in the
>>>>> configuration
>>>>> file. I've tried and failed but I dont fully understand handlers
>>>>> and
>>>>> realms and how they interact with the rest of the config file.
>>>>> (Yes Ive
>>>>> RTFM many many times).
>>>>>
>>>>> Below is the radiator config file I am using at the moment, it is
>>>>> by no
>>>>> means complete.
>>>>> As it is, the config file is configured to authenticate a testbed
>>>>> set of
>>>>> users but I want to add configuration for further Clients with the
>>>>> same
>>>>> LDAP authentication method and also if necessary a default vlan
>>>>> fallback
>>>>> mechanism.
>>>>>
>>>>> It may well be that my AP does not support "dynamic vlan" setup.
>>>>> The AP
>>>>> is connected to a Cisco 2950 with IOS Enhanced Image.
>>>>>
>>>>> Any help would be greatly appreciated.
>>>>>
>>>>> ---------------------
>>>>> Foreground
>>>>> LogStdout
>>>>> LogDir /var/log/radius
>>>>> LogFile %L/%Y-%m-log
>>>>> DbDir /etc/radiator
>>>>> Trace 4
>>>>> AuthPort 1812
>>>>> #AcctPort 1813
>>>>>
>>>>> <Client xxx.xxx.xxx.xxx>
>>>>> IdenticalClients xxx.xxx.xxx.xxx
>>>>> Secret 1234
>>>>> DupInterval 0
>>>>> Identifier isu
>>>>> </Client>
>>>>>
>>>>> <Handler Client-Identifier=isu>
>>>>> <AuthBy LDAP2>
>>>>> # Tell Radiator how to talk to the LDAP server
>>>>> ServerChecksPassword 1
>>>>> Host xxx.xxx.xxx.xxx
>>>>> Port 389
>>>>>
>>>>> # You will only need these if your LDAP server
>>>>> # requires authentication. These are the examples
>>>>> # in a default OpenLDAP installation
>>>>> # see /etc/openldap/slapd.conf
>>>>> # AuthDN CN=ADMIN, O=MMU
>>>>> # AuthPassword xxxxxxxxxx
>>>>>
>>>>> # This the top of the search tree where users
>>>>> # will be found. It should match the configuration
>>>>> # of your server, see /etc/openldap/slapd.conf
>>>>> BaseDN o=xxx
>>>>>
>>>>> # This is the LDAP attribute to match the radius user name
>>>>> UsernameAttr cn
>>>>>
>>>>> # You can enable debugging of the Net::LDAP
>>>>> # module with this:
>>>>> #Debug 255
>>>>>
>>>>> EAPType TTLS
>>>>> EAPTLS_CAFile /etc/radiator/certificates/xxxxxxx.pem
>>>>> EAPTLS_CertificateFile /etc/radiator/certificates/cert-srv.pem
>>>>> EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile
>>>>> /etc/radiator/certificates/xxxxxxxxx.xxx
>>>>> EAPTLS_PrivateKeyPassword whatever
>>>>> EAPTLS_MaxFragmentSize 1000
>>>>> AutoMPPEKeys
>>>>>
>>>>> # StripFromReply Tunnel-Type,\ # Tunnel-Medium-Type,\
>>>>> # Tunnel-Private-Group-ID
>>>>> # AddToReply Tunnel-Type = VLAN,\
>>>>> # Tunnel-Medium-Type = Ether_802,\
>>>>> # Tunnel-Private-Group = 2 </AuthBy> # PostAuthHook
>>>>> file:"%D/hooks/vlan-ascii-to-binary-postauth" </Handler>
>>>>>
>>>>
>>>> NB:
>>>>
>>>> Have you read the reference manual ("doc/ref.html")?
>>>> Have you searched the mailing list archive
>>>> (www.open.com.au/archives/radiator)?
>>>> Have you had a quick look on Google (www.google.com)?
>>>> Have you included a copy of your configuration file (no secrets),
>>>> together with a trace 4 debug showing what is happening?
>>>>
>>>> --
>>>> Radiator: the most portable, flexible and configurable RADIUS server
>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>> -
>>>> Nets: internetwork inventory and management - graphical, extensible,
>>>> flexible with hardware, software, platform and database
>>>> independence.
>>>> -
>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>> systems.
>>>>
>>>>
>>>
>>> NB:
>>>
>>> Have you read the reference manual ("doc/ref.html")?
>>> Have you searched the mailing list archive
>>> (www.open.com.au/archives/radiator)?
>>> Have you had a quick look on Google (www.google.com)?
>>> Have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>>
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list