[RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

Hartmaier Alexander alexander.hartmaier at t-systems.at
Wed Mar 26 12:37:00 CDT 2014 

On 2014-03-26 18:40, Roberto Pantoja wrote:
I have a problem trying to assign dynamic VLANs to users on a  WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute "Tunnel-Private-Group-ID" The Wireless Controller connects me to the default VLan for the SSID, but when I send "Tunnel-Private-Group-ID", the Wireless Controller simply drops out my connection. The Wireless controller documentation says the required attributes in the Access-Accept Reply are "Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=<Name of VLAN>".  Everything works fine using Ignition Server (Avaya's Radius Server). But on product's documentation says WC8180 comply with RFC Standards and mentions to be "compatible and validated" with freeradius and Microsoft IAS, so I think my case is a configuration issue.

Regards.

Radiator Version: 4.12.1
Wireless Controller: AVAYA WC8180
Wireless Access Points: AVAYA AP8120

Config file:
*** Config File ***
# radius.cfg

Foreground
LogStdout
LogDir          /var/log/radius
LogFile         %L/logfile.%Y.%m.%d
DbDir           /etc/radiator
# User a lower trace level in production systems:
Trace           4
AuthPort 1812
AcctPort 1813

<Client 10.0.30.254>
        Secret verysecret
        PacketTrace
        Identifier Avaya WC8180
</Client>

<Handler TunnelledByPEAP=1>
        <AuthBy FILE>
                Filename %D/users
                EAPType MSCHAP-V2
        </AuthBy>
</Handler>

<Handler>
        <AuthBy FILE>
                Filename %D/users
                EAPType PEAP
                EAPTLS_CAFile %D/certificates/cacert.pem
#               EAPTLS_CAPath
                EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
                EAPTLS_CertificateType PEM
                EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
                EAPTLS_PrivateKeyPassword verysecret
#               EAPTLS_RandomFile %D/certificates/random
                EAPTLS_MaxFragmentSize 1024
#               EAPTLS_DHFile %D/certificates/cert/dh
                #EAPTLS_CRLCheck
                #EAPTLS_CRLFile %D/certificates/crl.pem
                #EAPTLS_CRLFile %D/certificates/revocations.pem
                AutoMPPEKeys
                #EAPTLS_SessionResumption 0
                #EAPTLS_SessionResumptionLimit 10
                ####EAPAnonymous anonymous at localhost
                EAPTLS_PEAPVersion 0
                EAPTTLS_NoAckRequired
        </AuthBy>
</Handler>
*** EOF Config File ***


Users file:
mikem user without VLAN default VLAN - Quarantine - no IP address
mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24
mikem2 user with VLAN ATI - IP address range 10.0.19.0/24
*** Users file ***
# users
# This is an example of how to set up simple user for
# AuthBy FILE.
# The example user mikem has a password of fred, and will
# receive reply attributes suitable for most NASs.
# You can do many more interesting things. See the Radiator reference
# manual for more details
#
# You can test this user with the command
#  perl radpwtst

mikem   User-Password=fred
        Service-Type = Framed-User,
        Tunnel-Medium-Type = 802,
        Tunnel-Type = VLAN

mikem1  User-Password=fred
        Service-Type = Framed-User,
        Tunnel-Private-Group-ID = Empleados,
        Tunnel-Medium-Type = 802,
        Tunnel-Type = VLAN

mikem2  User-Password=fred
        Service-Type = Framed-User,
        Tunnel-Private-Group-ID = ATI,
        Tunnel-Medium-Type = 802,
        Tunnel-Type = VLAN

*** EOF users file ***

We're doing that with Cisco WLCs without problems but in our case by sending the VLAN ID, not its name like for wired dot1x where Cisco IOS switches want the VLAN name:

AddToReply Tunnel-Type=VLAN,\
               Tunnel-Medium-Type=802, \
               Tunnel-Private-Group-ID=123


--
---------------------------------------
Roberto Carlos Pantoja Valdizón
Analista de Sistemas
ATI/GDEI/LaGeo



This message has been scanned for malware by Websense. www.websense.com<http://www.websense.com/>



_______________________________________________
radiator mailing list
radiator at open.com.au<mailto:radiator at open.com.au>
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140326/dd5991a7/attachment.html

More information about the radiator mailing list