(RADIATOR) last hurdle to assigning vlan ids for dot1x authentication
Alex Sharaz
A.Sharaz at hull.ac.uk
Fri Jun 23 10:54:38 CDT 2006
Hopefully this'll be the last message on this topic.
I've got everything worked our except for the fact that the
Tunnel-Private-Group-Id that I've defined isn't being passed back as far
as the RAS client.
A user auths using eap-peap/eap-mschapv2 via the Handler shown below.[1]
Eventually you get to an AuthBy RADIUS statement that proxies off an
auth request to another radius server. [2]
A ReplyHook [3] has a look at the nas-ip address and decides what
parameters to add to the reply packet to pass back to the client.
In this case its
Tunnel-Medium-Type=802,\
Tunnel-Private-Group-ID=CC_Clients,\
Tunnel-Type=VLAN
Looking at the Access-Accept packet that comes out of the AuthBy Radius
you see
However this doesn't seem to get as far as the remote client.
If I add
# AddToReply Tunnel-Medium-Type=802,\
# Tunnel-Private-Group-ID=CC_Clients,\
# Tunnel-Type=VLAN
To the Top level handler [1] then everything works fine. However, the
idea is to use a set of database queries to sort out what vlan
attribute to pass back as we're going to want to decide that based upon
whether its wired,wireless local users , JRS users or guests getting
routed to a commercial ISP and bypassing our janet connection
Help
Alex
*** Received from 150.237.47.196 port 1812 ....
Code: Access-Accept
Identifier: 10
Authentic: <155><230><141><133><165><234><213>@<191><31>yVEq<11>r
Attributes:
MS-CHAP2-Success =
"<1>S=4B2A3C087CE458594200A3C2D5258030B3ABF45F"
Fri Jun 23 16:38:54 2006: DEBUG: Received reply in AuthRADIUS for req 10
from 150.237.47.196:1812
Fri Jun 23 16:38:54 2006: DEBUG: Calling get_wired_vlans_replyhook.pl
Fri Jun 23 16:38:54 2006: DEBUG: Calling-Station=00-0E-35-E3-B5-5D
Fri Jun 23 16:38:54 2006: DEBUG: Nas-Ip=150.237.47.40
Fri Jun 23 16:38:54 2006: DEBUG: User-Name=ccsas
Fri Jun 23 16:38:54 2006: DEBUG: Adding 802.1x vlan information
Fri Jun 23 16:38:54 2006: DEBUG: Adding 802.1x vlan information for CC
Wireless
Fri Jun 23 16:38:54 2006: DEBUG: vlanid=CC_Clients
Fri Jun 23 16:38:54 2006: DEBUG: Exiting get_wired_vlans.replyhookpl
Fri Jun 23 16:38:54 2006: DEBUG: Access accepted for ccsas
Fri Jun 23 16:38:54 2006: DEBUG: Converted EAP-MSCHAPV2 response Packet
dump:
Code: Access-Accept
Identifier: UNDEF
Authentic: <251>^<27><131>,<183>8YFg2<17><187><30>uK
Attributes:
MS-CHAP2-Success =
"<1>S=4B2A3C087CE458594200A3C2D5258030B3ABF45F"
Tunnel-Private-Group-ID = CC_Clients
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802
#####################################
[1]
<Handler Client-Identifier=/Trpz-*/i, Realm=/hull\.ac\.uk/i>
AuthBy eapAuth
AuthLog paplog
RejectHasReason
SessionDatabase NULL_SESSION_DB
PreProcessingHook file:"/etc/radiator/access_request.pl"
# AddToReply Tunnel-Medium-Type=802,\
# Tunnel-Private-Group-ID=CC_Clients,\
# Tunnel-Type=VLAN
</Handler>
#####################################
<Handler>
Identifier eapAuth
........
</Handler>
####################################
<Handler TunnelledByPEAP=1>
Identifier peap-mschapv2
<AuthBy FILE>
EAPType MSCHAP-V2
EAP_PEAP_MSCHAP_Convert 1
</AuthBy>
</Handler>
####################################
<Handler ConvertedFromEAPMSCHAPV2=1>
# Proxy to a non-EAP capable server
Identifier eap-mschapv2
#
# We need to auth only to the userid and not userid at realm
#
[2]
<AuthBy RADIUS>
RewriteUsername s/^([^@]+).*/$1/
Host <ip address>
Secret <secret>
AuthPort 1812
AcctPort 1813
LocalAddress %{GlobalVar:myIp}
StripFromRequest ConvertedFromEAPMSCHAPV2
[3] ReplyHook file:"%D/gen_wired_vlans_replyhook.pl"
</AuthBy>
AuthLog eaplog
PostAuthHook file:"/etc/radiator/calling_station_hook_requests.pl"
</Handler>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20060623/2ac6cea8/attachment.ksh>
More information about the radiator
mailing list