[RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

Roberto Pantoja rpantoja at lageo.com.sv
Wed Mar 26 13:16:15 CDT 2014


Thank you for your promptly answer, but I have the same effect if I put
the VLAN name or numeric ID. Do you have any other idea that can help me
to resolve this problem.

Best regards.

On 03/26/2014 11:37 AM, Hartmaier Alexander wrote:
> On 2014-03-26 18:40, Roberto Pantoja wrote:
>> I have a problem trying to assign dynamic VLANs to users on a 
>> WPA2-Enterprise configuration. Users have successful authentication
>> and if I don't send the Radius Attribute "Tunnel-Private-Group-ID"
>> The Wireless Controller connects me to the default VLan for the SSID,
>> but when I send "Tunnel-Private-Group-ID", the Wireless Controller
>> simply drops out my connection. The Wireless controller documentation
>> says the required attributes in the Access-Accept Reply are
>> "Tunnel-Type=VLAN, Tunnel-Medium-Type=802,
>> Tunnel-Private-Group-ID=<Name of VLAN>".  Everything works fine using
>> Ignition Server (Avaya's Radius Server). But on product's
>> documentation says WC8180 comply with RFC Standards and mentions to
>> be "compatible and validated" with freeradius and Microsoft IAS, so I
>> think my case is a configuration issue.
>>
>> Regards.
>>
>> Radiator Version: 4.12.1
>> Wireless Controller: AVAYA WC8180
>> Wireless Access Points: AVAYA AP8120
>>
>> Config file:
>> *** Config File ***
>> # radius.cfg
>>
>> Foreground
>> LogStdout
>> LogDir          /var/log/radius
>> LogFile         %L/logfile.%Y.%m.%d
>> DbDir           /etc/radiator
>> # User a lower trace level in production systems:
>> Trace           4
>> AuthPort 1812
>> AcctPort 1813
>>
>> <Client 10.0.30.254>
>>         Secret verysecret
>>         PacketTrace
>>         Identifier Avaya WC8180
>> </Client>
>>
>> <Handler TunnelledByPEAP=1>
>>         <AuthBy FILE>
>>                 Filename %D/users
>>                 EAPType MSCHAP-V2
>>         </AuthBy>
>> </Handler>
>>
>> <Handler>
>>         <AuthBy FILE>
>>                 Filename %D/users
>>                 EAPType PEAP
>>                 EAPTLS_CAFile %D/certificates/cacert.pem
>> #               EAPTLS_CAPath
>>                 EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
>>                 EAPTLS_CertificateType PEM
>>                 EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
>>                 EAPTLS_PrivateKeyPassword verysecret
>> #               EAPTLS_RandomFile %D/certificates/random
>>                 EAPTLS_MaxFragmentSize 1024
>> #               EAPTLS_DHFile %D/certificates/cert/dh
>>                 #EAPTLS_CRLCheck
>>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>>                 AutoMPPEKeys
>>                 #EAPTLS_SessionResumption 0
>>                 #EAPTLS_SessionResumptionLimit 10
>>                 ####EAPAnonymous anonymous at localhost
>>                 EAPTLS_PEAPVersion 0
>>                 EAPTTLS_NoAckRequired
>>         </AuthBy>
>> </Handler>
>> *** EOF Config File ***
>>
>>
>> Users file:
>> mikem user without VLAN default VLAN - Quarantine - no IP address
>> mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24
>> mikem2 user with VLAN ATI - IP address range 10.0.19.0/24
>> *** Users file ***
>> # users
>> # This is an example of how to set up simple user for
>> # AuthBy FILE.
>> # The example user mikem has a password of fred, and will
>> # receive reply attributes suitable for most NASs.
>> # You can do many more interesting things. See the Radiator reference
>> # manual for more details
>> #
>> # You can test this user with the command
>> #  perl radpwtst
>>
>> mikem   User-Password=fred
>>         Service-Type = Framed-User,
>>         Tunnel-Medium-Type = 802,
>>         Tunnel-Type = VLAN
>>
>> mikem1  User-Password=fred
>>         Service-Type = Framed-User,
>>         Tunnel-Private-Group-ID = Empleados,
>>         Tunnel-Medium-Type = 802,
>>         Tunnel-Type = VLAN
>>
>> mikem2  User-Password=fred
>>         Service-Type = Framed-User,
>>         Tunnel-Private-Group-ID = ATI,
>>         Tunnel-Medium-Type = 802,
>>         Tunnel-Type = VLAN
>>
>> *** EOF users file ***
>
> We're doing that with Cisco WLCs without problems but in our case by
> sending the VLAN ID, not its name like for wired dot1x where Cisco IOS
> switches want the VLAN name:
>
> AddToReply Tunnel-Type=VLAN,\
>                Tunnel-Medium-Type=802, \
>                Tunnel-Private-Group-ID=123
>
>> -- 
>> ---------------------------------------
>> Roberto Carlos Pantoja Valdizón
>> Analista de Sistemas
>> ATI/GDEI/LaGeo
>>
>>
>> This message has been scanned for malware by Websense.
>> www.websense.com <http://www.websense.com/>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may
> be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>
>
> Click here
> <https://www.mailcontrol.com/sr/X7j9AwsBAS3GX2PQPOmvUmkxeMeR4%21FmwYL%21b%21gsSiAI7lo7et4NX6Fo9FCU0sXr2U9s6bVQO2bgE3KctAewCA==>
> to report this email as spam.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
---------------------------------------
Roberto Carlos Pantoja Valdizón
Analista de Sistemas
ATI/GDEI/LaGeo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140326/5a9ba445/attachment-0001.html 


More information about the radiator mailing list