[RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)
Roberto Pantoja
rpantoja at lageo.com.sv
Wed Mar 26 13:16:15 CDT 2014
Thank you for your promptly answer, but I have the same effect if I put
the VLAN name or numeric ID. Do you have any other idea that can help me
to resolve this problem.
Best regards.
On 03/26/2014 11:37 AM, Hartmaier Alexander wrote:
> On 2014-03-26 18:40, Roberto Pantoja wrote:
>> I have a problem trying to assign dynamic VLANs to users on a
>> WPA2-Enterprise configuration. Users have successful authentication
>> and if I don't send the Radius Attribute "Tunnel-Private-Group-ID"
>> The Wireless Controller connects me to the default VLan for the SSID,
>> but when I send "Tunnel-Private-Group-ID", the Wireless Controller
>> simply drops out my connection. The Wireless controller documentation
>> says the required attributes in the Access-Accept Reply are
>> "Tunnel-Type=VLAN, Tunnel-Medium-Type=802,
>> Tunnel-Private-Group-ID=<Name of VLAN>". Everything works fine using
>> Ignition Server (Avaya's Radius Server). But on product's
>> documentation says WC8180 comply with RFC Standards and mentions to
>> be "compatible and validated" with freeradius and Microsoft IAS, so I
>> think my case is a configuration issue.
>>
>> Regards.
>>
>> Radiator Version: 4.12.1
>> Wireless Controller: AVAYA WC8180
>> Wireless Access Points: AVAYA AP8120
>>
>> Config file:
>> *** Config File ***
>> # radius.cfg
>>
>> Foreground
>> LogStdout
>> LogDir /var/log/radius
>> LogFile %L/logfile.%Y.%m.%d
>> DbDir /etc/radiator
>> # User a lower trace level in production systems:
>> Trace 4
>> AuthPort 1812
>> AcctPort 1813
>>
>> <Client 10.0.30.254>
>> Secret verysecret
>> PacketTrace
>> Identifier Avaya WC8180
>> </Client>
>>
>> <Handler TunnelledByPEAP=1>
>> <AuthBy FILE>
>> Filename %D/users
>> EAPType MSCHAP-V2
>> </AuthBy>
>> </Handler>
>>
>> <Handler>
>> <AuthBy FILE>
>> Filename %D/users
>> EAPType PEAP
>> EAPTLS_CAFile %D/certificates/cacert.pem
>> # EAPTLS_CAPath
>> EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
>> EAPTLS_CertificateType PEM
>> EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
>> EAPTLS_PrivateKeyPassword verysecret
>> # EAPTLS_RandomFile %D/certificates/random
>> EAPTLS_MaxFragmentSize 1024
>> # EAPTLS_DHFile %D/certificates/cert/dh
>> #EAPTLS_CRLCheck
>> #EAPTLS_CRLFile %D/certificates/crl.pem
>> #EAPTLS_CRLFile %D/certificates/revocations.pem
>> AutoMPPEKeys
>> #EAPTLS_SessionResumption 0
>> #EAPTLS_SessionResumptionLimit 10
>> ####EAPAnonymous anonymous at localhost
>> EAPTLS_PEAPVersion 0
>> EAPTTLS_NoAckRequired
>> </AuthBy>
>> </Handler>
>> *** EOF Config File ***
>>
>>
>> Users file:
>> mikem user without VLAN default VLAN - Quarantine - no IP address
>> mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24
>> mikem2 user with VLAN ATI - IP address range 10.0.19.0/24
>> *** Users file ***
>> # users
>> # This is an example of how to set up simple user for
>> # AuthBy FILE.
>> # The example user mikem has a password of fred, and will
>> # receive reply attributes suitable for most NASs.
>> # You can do many more interesting things. See the Radiator reference
>> # manual for more details
>> #
>> # You can test this user with the command
>> # perl radpwtst
>>
>> mikem User-Password=fred
>> Service-Type = Framed-User,
>> Tunnel-Medium-Type = 802,
>> Tunnel-Type = VLAN
>>
>> mikem1 User-Password=fred
>> Service-Type = Framed-User,
>> Tunnel-Private-Group-ID = Empleados,
>> Tunnel-Medium-Type = 802,
>> Tunnel-Type = VLAN
>>
>> mikem2 User-Password=fred
>> Service-Type = Framed-User,
>> Tunnel-Private-Group-ID = ATI,
>> Tunnel-Medium-Type = 802,
>> Tunnel-Type = VLAN
>>
>> *** EOF users file ***
>
> We're doing that with Cisco WLCs without problems but in our case by
> sending the VLAN ID, not its name like for wired dot1x where Cisco IOS
> switches want the VLAN name:
>
> AddToReply Tunnel-Type=VLAN,\
> Tunnel-Medium-Type=802, \
> Tunnel-Private-Group-ID=123
>
>> --
>> ---------------------------------------
>> Roberto Carlos Pantoja Valdizón
>> Analista de Sistemas
>> ATI/GDEI/LaGeo
>>
>>
>> This message has been scanned for malware by Websense.
>> www.websense.com <http://www.websense.com/>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may
> be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>
>
> Click here
> <https://www.mailcontrol.com/sr/X7j9AwsBAS3GX2PQPOmvUmkxeMeR4%21FmwYL%21b%21gsSiAI7lo7et4NX6Fo9FCU0sXr2U9s6bVQO2bgE3KctAewCA==>
> to report this email as spam.
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
---------------------------------------
Roberto Carlos Pantoja Valdizón
Analista de Sistemas
ATI/GDEI/LaGeo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20140326/5a9ba445/attachment-0001.html
More information about the radiator
mailing list