(RADIATOR) last hurdle to assigning vlan ids for dot1x authentication

Hugh Irvine hugh at open.com.au
Fri Jun 23 20:42:14 CDT 2006 

Hello Alex -

I really need to see a bit more of the trace 4 debug showing what  
happens with the access accept that goes back to the NAS.

Can you also tell me what hardware/software platform you are running  
on and what versions of Perl and Radiator?

regards

Hugh


On 24 Jun 2006, at 01:54, Alex Sharaz wrote:

> Hopefully this'll be the last message on this topic.
> I've got everything worked our except for the fact that the
> Tunnel-Private-Group-Id that I've defined isn't being passed back  
> as far
> as the RAS client.
>
> A user auths using eap-peap/eap-mschapv2 via the Handler shown  
> below.[1]
>
> Eventually you get to an AuthBy RADIUS statement that proxies off an
> auth request to another radius server. [2]
>
> A ReplyHook [3] has a look at the nas-ip address and decides what
> parameters to add to the reply packet to pass back to the client.
>
> In this case its
>
>        Tunnel-Medium-Type=802,\
>        Tunnel-Private-Group-ID=CC_Clients,\
>        Tunnel-Type=VLAN
>
>
> Looking at the Access-Accept packet that comes out of the AuthBy  
> Radius
> you see
>
> However this doesn't seem to get as far as the remote client.
>
> If I add
> #   AddToReply Tunnel-Medium-Type=802,\
> #        Tunnel-Private-Group-ID=CC_Clients,\
> #        Tunnel-Type=VLAN
>
> To the Top level handler [1]  then everything works fine. However, the
> idea is to use a  set of database queries to sort out what vlan
> attribute to pass back as we're going to want to decide that based  
> upon
> whether its wired,wireless local users , JRS users or guests getting
> routed to a commercial ISP and bypassing our janet connection
>
>
> Help
> Alex
>
>
> *** Received from 150.237.47.196 port 1812 ....
> Code:       Access-Accept
> Identifier: 10
> Authentic:  <155><230><141><133><165><234><213>@<191><31>yVEq<11>r
> Attributes:
>         MS-CHAP2-Success =
> "<1>S=4B2A3C087CE458594200A3C2D5258030B3ABF45F"
>
> Fri Jun 23 16:38:54 2006: DEBUG: Received reply in AuthRADIUS for  
> req 10
> from 150.237.47.196:1812
> Fri Jun 23 16:38:54 2006: DEBUG: Calling get_wired_vlans_replyhook.pl
>
> Fri Jun 23 16:38:54 2006: DEBUG: Calling-Station=00-0E-35-E3-B5-5D
> Fri Jun 23 16:38:54 2006: DEBUG: Nas-Ip=150.237.47.40
> Fri Jun 23 16:38:54 2006: DEBUG: User-Name=ccsas
> Fri Jun 23 16:38:54 2006: DEBUG: Adding 802.1x vlan information
>
> Fri Jun 23 16:38:54 2006: DEBUG: Adding 802.1x vlan information for CC
> Wireless
>
> Fri Jun 23 16:38:54 2006: DEBUG: vlanid=CC_Clients
>
> Fri Jun 23 16:38:54 2006: DEBUG: Exiting get_wired_vlans.replyhookpl
>
> Fri Jun 23 16:38:54 2006: DEBUG: Access accepted for ccsas
> Fri Jun 23 16:38:54 2006: DEBUG: Converted EAP-MSCHAPV2 response  
> Packet
> dump:
> Code:       Access-Accept
> Identifier: UNDEF
> Authentic:  <251>^<27><131>,<183>8YFg2<17><187><30>uK
> Attributes:
>         MS-CHAP2-Success =
> "<1>S=4B2A3C087CE458594200A3C2D5258030B3ABF45F"
>         Tunnel-Private-Group-ID = CC_Clients
>         Tunnel-Type = VLAN
>         Tunnel-Medium-Type = 802
>
> #####################################
> [1]
> <Handler Client-Identifier=/Trpz-*/i, Realm=/hull\.ac\.uk/i>
>    AuthBy eapAuth
>    AuthLog  paplog
>    RejectHasReason
>    SessionDatabase NULL_SESSION_DB
>    PreProcessingHook file:"/etc/radiator/access_request.pl"
> #   AddToReply Tunnel-Medium-Type=802,\
> #        Tunnel-Private-Group-ID=CC_Clients,\
> #        Tunnel-Type=VLAN
> </Handler>
> #####################################
> <Handler>
> Identifier eapAuth
> ........
> </Handler>
> ####################################
> <Handler TunnelledByPEAP=1>
>     Identifier peap-mschapv2
>     <AuthBy FILE>
>     EAPType MSCHAP-V2
>     EAP_PEAP_MSCHAP_Convert 1
>     </AuthBy>
> </Handler>
>
> ####################################
> <Handler ConvertedFromEAPMSCHAPV2=1>
>         # Proxy to a non-EAP capable server
>         Identifier eap-mschapv2
> #
> # We need to auth only to the userid and not userid at realm
> #
> [2]
>         <AuthBy RADIUS>
>                 RewriteUsername s/^([^@]+).*/$1/
>                 Host <ip address>
>                 Secret <secret>
>                 AuthPort 1812
>                 AcctPort 1813
>                 LocalAddress %{GlobalVar:myIp}
>                 StripFromRequest ConvertedFromEAPMSCHAPV2
> [3]                ReplyHook file:"%D/gen_wired_vlans_replyhook.pl"
>         </AuthBy>
>     AuthLog eaplog
>     PostAuthHook file:"/etc/radiator/calling_station_hook_requests.pl"
> </Handler>
> ********************************************************************** 
> *******************
> To view the terms under which this email is distributed, please go  
> to http://www.hull.ac.uk/legal/email_disclaimer.html
> ********************************************************************** 
> *******************


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list