[RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

Sami Keski-Kasari samikk at open.com.au
Wed Mar 26 13:47:57 CDT 2014 

Hello Roberto,

The RFC2868 defines that tunnel attributes includes Tag field before
value. Some NASes are needing that it is defined and some not.

Try for example with

mikem2  User-Password=fred
        Service-Type = Framed-User,
        Tunnel-Private-Group-ID = 0:<vlan-id>,
        Tunnel-Medium-Type = 0:802,
        Tunnel-Type = 0:VLAN

or
mikem2  User-Password=fred
        Service-Type = Framed-User,
        Tunnel-Private-Group-ID = 1:<vlan-id>,
        Tunnel-Medium-Type = 1:802,
        Tunnel-Type = 1:VLAN


Best Regards,
 Sami

On 03/26/2014 08:16 PM, Roberto Pantoja wrote:
> Thank you for your promptly answer, but I have the same effect if I put
> the VLAN name or numeric ID. Do you have any other idea that can help me
> to resolve this problem.
> 
> Best regards.
> 
> On 03/26/2014 11:37 AM, Hartmaier Alexander wrote:
>> On 2014-03-26 18:40, Roberto Pantoja wrote:
>>> I have a problem trying to assign dynamic VLANs to users on a 
>>> WPA2-Enterprise configuration. Users have successful authentication
>>> and if I don't send the Radius Attribute "Tunnel-Private-Group-ID"
>>> The Wireless Controller connects me to the default VLan for the SSID,
>>> but when I send "Tunnel-Private-Group-ID", the Wireless Controller
>>> simply drops out my connection. The Wireless controller documentation
>>> says the required attributes in the Access-Accept Reply are
>>> "Tunnel-Type=VLAN, Tunnel-Medium-Type=802,
>>> Tunnel-Private-Group-ID=<Name of VLAN>".  Everything works fine using
>>> Ignition Server (Avaya's Radius Server). But on product's
>>> documentation says WC8180 comply with RFC Standards and mentions to
>>> be "compatible and validated" with freeradius and Microsoft IAS, so I
>>> think my case is a configuration issue.
>>>
>>> Regards.
>>>
>>> Radiator Version: 4.12.1
>>> Wireless Controller: AVAYA WC8180
>>> Wireless Access Points: AVAYA AP8120
>>>
>>> Config file:
>>> *** Config File ***
>>> # radius.cfg
>>>
>>> Foreground
>>> LogStdout
>>> LogDir          /var/log/radius
>>> LogFile         %L/logfile.%Y.%m.%d
>>> DbDir           /etc/radiator
>>> # User a lower trace level in production systems:
>>> Trace           4
>>> AuthPort 1812
>>> AcctPort 1813
>>>
>>> <Client 10.0.30.254>
>>>         Secret verysecret
>>>         PacketTrace
>>>         Identifier Avaya WC8180
>>> </Client>
>>>
>>> <Handler TunnelledByPEAP=1>
>>>         <AuthBy FILE>
>>>                 Filename %D/users
>>>                 EAPType MSCHAP-V2
>>>         </AuthBy>
>>> </Handler>
>>>
>>> <Handler>
>>>         <AuthBy FILE>
>>>                 Filename %D/users
>>>                 EAPType PEAP
>>>                 EAPTLS_CAFile %D/certificates/cacert.pem
>>> #               EAPTLS_CAPath
>>>                 EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
>>>                 EAPTLS_CertificateType PEM
>>>                 EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
>>>                 EAPTLS_PrivateKeyPassword verysecret
>>> #               EAPTLS_RandomFile %D/certificates/random
>>>                 EAPTLS_MaxFragmentSize 1024
>>> #               EAPTLS_DHFile %D/certificates/cert/dh
>>>                 #EAPTLS_CRLCheck
>>>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>>>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>>>                 AutoMPPEKeys
>>>                 #EAPTLS_SessionResumption 0
>>>                 #EAPTLS_SessionResumptionLimit 10
>>>                 ####EAPAnonymous anonymous at localhost
>>>                 EAPTLS_PEAPVersion 0
>>>                 EAPTTLS_NoAckRequired
>>>         </AuthBy>
>>> </Handler>
>>> *** EOF Config File ***
>>>
>>>
>>> Users file:
>>> mikem user without VLAN default VLAN - Quarantine - no IP address
>>> mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24
>>> mikem2 user with VLAN ATI - IP address range 10.0.19.0/24
>>> *** Users file ***
>>> # users
>>> # This is an example of how to set up simple user for
>>> # AuthBy FILE.
>>> # The example user mikem has a password of fred, and will
>>> # receive reply attributes suitable for most NASs.
>>> # You can do many more interesting things. See the Radiator reference
>>> # manual for more details
>>> #
>>> # You can test this user with the command
>>> #  perl radpwtst
>>>
>>> mikem   User-Password=fred
>>>         Service-Type = Framed-User,
>>>         Tunnel-Medium-Type = 802,
>>>         Tunnel-Type = VLAN
>>>
>>> mikem1  User-Password=fred
>>>         Service-Type = Framed-User,
>>>         Tunnel-Private-Group-ID = Empleados,
>>>         Tunnel-Medium-Type = 802,
>>>         Tunnel-Type = VLAN
>>>
>>> mikem2  User-Password=fred
>>>         Service-Type = Framed-User,
>>>         Tunnel-Private-Group-ID = ATI,
>>>         Tunnel-Medium-Type = 802,
>>>         Tunnel-Type = VLAN
>>>
>>> *** EOF users file ***
>>
>> We're doing that with Cisco WLCs without problems but in our case by
>> sending the VLAN ID, not its name like for wired dot1x where Cisco IOS
>> switches want the VLAN name:
>>
>> AddToReply Tunnel-Type=VLAN,\
>>                Tunnel-Medium-Type=802, \
>>                Tunnel-Private-Group-ID=123
>>
>>> -- 
>>> ---------------------------------------
>>> Roberto Carlos Pantoja Valdizón
>>> Analista de Sistemas
>>> ATI/GDEI/LaGeo
>>>
>>>
>>> This message has been scanned for malware by Websense.
>>> www.websense.com <http://www.websense.com/>
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may
>> be privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>>
>> Click here
>> <https://www.mailcontrol.com/sr/X7j9AwsBAS3GX2PQPOmvUmkxeMeR4%21FmwYL%21b%21gsSiAI7lo7et4NX6Fo9FCU0sXr2U9s6bVQO2bgE3KctAewCA==>
>> to report this email as spam.
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> 
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Sami Keski-Kasari <samikk at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list