(RADIATOR) How do I get A VLAN assigned? [Public]
Terry Simons
galimore at mac.com
Thu Jan 13 10:28:12 CST 2005
Hi Hugo,
I haven't worked with any Cisco switches and dynamic VLANs, but the
most common issue I have seen is that some devices are expecting
hexadecimal integer tags, instead of ASCII, which is technically not
RFC-compliant. You might check out the vlan hook in the goodies
directory which allows you to send integer tags, and see if that works.
Also, on the Cisco APs at least in the past they would accept VLAN
Names. It seems like they also had an issue with ascii VLAN tags, but
I can't recall the exact issue.
So I would try the hex tag format, and VLAN name just to see if
something odd is going on.
If that fails, see if you can enable debug logging for 802.1X. I've
seen some interesting messages come across with wireless APs before
when using dynamic VLANs that have helped solve a few of my problems.
Good luck!
- Terry
On Jan 13, 2005, at 8:40 AM, Miedema, Hugo wrote:
> Hello,
>
> I've got a Radiator server running on FreeBSD.
>
> But I get no VLAN on the interface of the Cisco-switch.
>
> The config of the switch:
> aaa new-model
> aaa authentication dot1x default group radius
> !
> dot1x system-auth-control
> !
> !
> !
> !
> interface FastEthernet0/1
> description Office-1
> switchport mode access
> dot1x port-control auto
> spanning-tree portfast
> !
> The Switch debugging:
> Jan 13 16:05:21 CET: AAA/AUTHEN/CONT (3351729614): continue_login
> (user='frank at xeon.com')
> Jan 13 16:05:21 CET: AAA/AUTHEN (3351729614): status = GETDATA
> Jan 13 16:05:21 CET: AAA/AUTHEN (3351729614): Method=radius (radius)
> Jan 13 16:05:21 CET: AAA/AUTHEN (3351729614): status = PASS
>
> ******************************************************************
> *** This is strange to me:
> ******************************************************************
> Jan 13 16:05:21 CET: dot1x-ev:Received VLAN is No Vlan
> Jan 13 16:05:21 CET: dot1x-ev:Enqueued the response to BackEnd
> Jan 13 16:05:21 CET: AAA/MEMORY: free_user (0x80CEC2E8)
> user='frank at xeon.com' ruser='frank at xeon.com' port='FastEthernet0/1'
> rem_addr='' authen_type=EAP service=802.1x priv=1
> Jan 13 16:05:21 CET: dot1x-ev:Received QUEUE EVENT in response to AAA
> Request
> Jan 13 16:05:21 CET: dot1x-ev:Dot1x matching request-response found
> Jan 13 16:05:21 CET: dot1x-ev:Length of recv eap packet from radius = 4
> Jan 13 16:05:21 CET: dot1x-ev:Received VLAN Id -1
> Jan 13 16:05:21 CET: dot1x-ev:dot1x_bend_success_enter:00c0.4f83.0e98:
> Current ID=1
>
> Jan 13 16:05:42 CET: dot1x-ev:dot1x_bend: Sending Radius Response to
> Supplicant of length 4
> Jan 13 16:05:42 CET: dot1x-ev:dot1x_tx_eap: EAP Ptk
> Jan 13 16:05:42 CET: dot1x-ev:EAP-code=SUCCESS
> Jan 13 16:05:42 CET: dot1x-ev:EAP Type= Unknown
> Jan 13 16:05:42 CET: dot1x-ev:ID=1
> The Radiator config (detail):
> <Handler Realm=xeon.com>
> RewriteUsername s/^([^@]+).*/$1/
> <AuthBy FILE>
> EAPType MD5-Challenge
> RewriteUsername s/^([^@]+).*/$1/
> Filename %D/users
> StripFromReply Tunnel-Type, Tunnel-Medium-Type,
> Tunnel-Private-Group-ID
> AddToReply Tunnel-Type=VLAN,
> Tunnel-Medium-Type=Ether_802, Tunnel-Private-Group-ID=8, User-Name=%u
> </AuthBy>
> </Handler>
> Part of the Radiator-logging:
> Code: Access-Accept
> Identifier: 17
> Authentic:
> Z<217><184><136>a<202><241><148>M<236><229>(<223><242><190><4>
> Attributes:
> EAP-Message = <3><1><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Tunnel-Type = VLAN
> Tunnel-Medium-Type = Ether_802
> Tunnel-Private-Group-ID = 8
> User-Name = "frank at xeon.com"
> Why is there no vlan assigned?
>
> regards,
>
> Hugo Miedema
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 9127 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050113/7c5120d3/attachment.bin>
More information about the radiator
mailing list