[RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Roberto Pantoja
rpantoja at lageo.com.sv
Wed Mar 26 12:40:38 CDT 2014
I have a problem trying to assign dynamic VLANs to users on a
WPA2-Enterprise configuration. Users have successful authentication and
if I don't send the Radius Attribute "Tunnel-Private-Group-ID" The
Wireless Controller connects me to the default VLan for the SSID, but
when I send "Tunnel-Private-Group-ID", the Wireless Controller simply
drops out my connection. The Wireless controller documentation says the
required attributes in the Access-Accept Reply are "Tunnel-Type=VLAN,
Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=<Name of VLAN>".
Everything works fine using Ignition Server (Avaya's Radius Server). But
on product's documentation says WC8180 comply with RFC Standards and
mentions to be "compatible and validated" with freeradius and Microsoft
IAS, so I think my case is a configuration issue.
Regards.
Radiator Version: 4.12.1
Wireless Controller: AVAYA WC8180
Wireless Access Points: AVAYA AP8120
Config file:
*** Config File ***
# radius.cfg
Foreground
LogStdout
LogDir /var/log/radius
LogFile %L/logfile.%Y.%m.%d
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
AuthPort 1812
AcctPort 1813
<Client 10.0.30.254>
Secret verysecret
PacketTrace
Identifier Avaya WC8180
</Client>
<Handler TunnelledByPEAP=1>
<AuthBy FILE>
Filename %D/users
EAPType MSCHAP-V2
</AuthBy>
</Handler>
<Handler>
<AuthBy FILE>
Filename %D/users
EAPType PEAP
EAPTLS_CAFile %D/certificates/cacert.pem
# EAPTLS_CAPath
EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
EAPTLS_PrivateKeyPassword verysecret
# EAPTLS_RandomFile %D/certificates/random
EAPTLS_MaxFragmentSize 1024
# EAPTLS_DHFile %D/certificates/cert/dh
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
AutoMPPEKeys
#EAPTLS_SessionResumption 0
#EAPTLS_SessionResumptionLimit 10
####EAPAnonymous anonymous at localhost
EAPTLS_PEAPVersion 0
EAPTTLS_NoAckRequired
</AuthBy>
</Handler>
*** EOF Config File ***
Users file:
mikem user without VLAN default VLAN - Quarantine - no IP address
mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24
mikem2 user with VLAN ATI - IP address range 10.0.19.0/24
*** Users file ***
# users
# This is an example of how to set up simple user for
# AuthBy FILE.
# The example user mikem has a password of fred, and will
# receive reply attributes suitable for most NASs.
# You can do many more interesting things. See the Radiator reference
# manual for more details
#
# You can test this user with the command
# perl radpwtst
mikem User-Password=fred
Service-Type = Framed-User,
Tunnel-Medium-Type = 802,
Tunnel-Type = VLAN
mikem1 User-Password=fred
Service-Type = Framed-User,
Tunnel-Private-Group-ID = Empleados,
Tunnel-Medium-Type = 802,
Tunnel-Type = VLAN
mikem2 User-Password=fred
Service-Type = Framed-User,
Tunnel-Private-Group-ID = ATI,
Tunnel-Medium-Type = 802,
Tunnel-Type = VLAN
*** EOF users file ***
--
---------------------------------------
Roberto Carlos Pantoja Valdizón
Analista de Sistemas
ATI/GDEI/LaGeo
This message has been scanned for malware by Websense. www.websense.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140326/87c0c2a0/attachment.html
More information about the radiator
mailing list