[RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

Roberto Pantoja rpantoja at lageo.com.sv
Wed Mar 26 14:24:39 CDT 2014 

Thank you, I will try tagging values for the reply...

On 03/26/2014 12:47 PM, Sami Keski-Kasari wrote:
> Hello Roberto,
>
> The RFC2868 defines that tunnel attributes includes Tag field before
> value. Some NASes are needing that it is defined and some not.
>
> Try for example with
>
> mikem2  User-Password=fred
>         Service-Type = Framed-User,
>         Tunnel-Private-Group-ID = 0:<vlan-id>,
>         Tunnel-Medium-Type = 0:802,
>         Tunnel-Type = 0:VLAN
>
> or
> mikem2  User-Password=fred
>         Service-Type = Framed-User,
>         Tunnel-Private-Group-ID = 1:<vlan-id>,
>         Tunnel-Medium-Type = 1:802,
>         Tunnel-Type = 1:VLAN
>
>
> Best Regards,
>  Sami
>
> On 03/26/2014 08:16 PM, Roberto Pantoja wrote:
>> Thank you for your promptly answer, but I have the same effect if I put
>> the VLAN name or numeric ID. Do you have any other idea that can help me
>> to resolve this problem.
>>
>> Best regards.
>>
>> On 03/26/2014 11:37 AM, Hartmaier Alexander wrote:
>>> On 2014-03-26 18:40, Roberto Pantoja wrote:
>>>> I have a problem trying to assign dynamic VLANs to users on a 
>>>> WPA2-Enterprise configuration. Users have successful authentication
>>>> and if I don't send the Radius Attribute "Tunnel-Private-Group-ID"
>>>> The Wireless Controller connects me to the default VLan for the SSID,
>>>> but when I send "Tunnel-Private-Group-ID", the Wireless Controller
>>>> simply drops out my connection. The Wireless controller documentation
>>>> says the required attributes in the Access-Accept Reply are
>>>> "Tunnel-Type=VLAN, Tunnel-Medium-Type=802,
>>>> Tunnel-Private-Group-ID=<Name of VLAN>".  Everything works fine using
>>>> Ignition Server (Avaya's Radius Server). But on product's
>>>> documentation says WC8180 comply with RFC Standards and mentions to
>>>> be "compatible and validated" with freeradius and Microsoft IAS, so I
>>>> think my case is a configuration issue.
>>>>
>>>> Regards.
>>>>
>>>> Radiator Version: 4.12.1
>>>> Wireless Controller: AVAYA WC8180
>>>> Wireless Access Points: AVAYA AP8120
>>>>
>>>> Config file:
>>>> *** Config File ***
>>>> # radius.cfg
>>>>
>>>> Foreground
>>>> LogStdout
>>>> LogDir          /var/log/radius
>>>> LogFile         %L/logfile.%Y.%m.%d
>>>> DbDir           /etc/radiator
>>>> # User a lower trace level in production systems:
>>>> Trace           4
>>>> AuthPort 1812
>>>> AcctPort 1813
>>>>
>>>> <Client 10.0.30.254>
>>>>         Secret verysecret
>>>>         PacketTrace
>>>>         Identifier Avaya WC8180
>>>> </Client>
>>>>
>>>> <Handler TunnelledByPEAP=1>
>>>>         <AuthBy FILE>
>>>>                 Filename %D/users
>>>>                 EAPType MSCHAP-V2
>>>>         </AuthBy>
>>>> </Handler>
>>>>
>>>> <Handler>
>>>>         <AuthBy FILE>
>>>>                 Filename %D/users
>>>>                 EAPType PEAP
>>>>                 EAPTLS_CAFile %D/certificates/cacert.pem
>>>> #               EAPTLS_CAPath
>>>>                 EAPTLS_CertificateFile %D/certificates/radiator-cert.pem
>>>>                 EAPTLS_CertificateType PEM
>>>>                 EAPTLS_PrivateKeyFile %D/certificates/radiator-key.pem
>>>>                 EAPTLS_PrivateKeyPassword verysecret
>>>> #               EAPTLS_RandomFile %D/certificates/random
>>>>                 EAPTLS_MaxFragmentSize 1024
>>>> #               EAPTLS_DHFile %D/certificates/cert/dh
>>>>                 #EAPTLS_CRLCheck
>>>>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>>>>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>>>>                 AutoMPPEKeys
>>>>                 #EAPTLS_SessionResumption 0
>>>>                 #EAPTLS_SessionResumptionLimit 10
>>>>                 ####EAPAnonymous anonymous at localhost
>>>>                 EAPTLS_PEAPVersion 0
>>>>                 EAPTTLS_NoAckRequired
>>>>         </AuthBy>
>>>> </Handler>
>>>> *** EOF Config File ***
>>>>
>>>>
>>>> Users file:
>>>> mikem user without VLAN default VLAN - Quarantine - no IP address
>>>> mikem1 user with VLAN Empleados - IP address range 10.0.21.0/24
>>>> mikem2 user with VLAN ATI - IP address range 10.0.19.0/24
>>>> *** Users file ***
>>>> # users
>>>> # This is an example of how to set up simple user for
>>>> # AuthBy FILE.
>>>> # The example user mikem has a password of fred, and will
>>>> # receive reply attributes suitable for most NASs.
>>>> # You can do many more interesting things. See the Radiator reference
>>>> # manual for more details
>>>> #
>>>> # You can test this user with the command
>>>> #  perl radpwtst
>>>>
>>>> mikem   User-Password=fred
>>>>         Service-Type = Framed-User,
>>>>         Tunnel-Medium-Type = 802,
>>>>         Tunnel-Type = VLAN
>>>>
>>>> mikem1  User-Password=fred
>>>>         Service-Type = Framed-User,
>>>>         Tunnel-Private-Group-ID = Empleados,
>>>>         Tunnel-Medium-Type = 802,
>>>>         Tunnel-Type = VLAN
>>>>
>>>> mikem2  User-Password=fred
>>>>         Service-Type = Framed-User,
>>>>         Tunnel-Private-Group-ID = ATI,
>>>>         Tunnel-Medium-Type = 802,
>>>>         Tunnel-Type = VLAN
>>>>
>>>> *** EOF users file ***
>>> We're doing that with Cisco WLCs without problems but in our case by
>>> sending the VLAN ID, not its name like for wired dot1x where Cisco IOS
>>> switches want the VLAN name:
>>>
>>> AddToReply Tunnel-Type=VLAN,\
>>>                Tunnel-Medium-Type=802, \
>>>                Tunnel-Private-Group-ID=123
>>>
>>>> -- 
>>>> ---------------------------------------
>>>> Roberto Carlos Pantoja Valdizón
>>>> Analista de Sistemas
>>>> ATI/GDEI/LaGeo
>>>>
>>>>
>>>> This message has been scanned for malware by Websense.
>>>> www.websense.com <http://www.websense.com/>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> radiator mailing list
>>>> radiator at open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>> Notice: This e-mail contains information that is confidential and may
>>> be privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>
>>>
>>> Click here
>>> <https://www.mailcontrol.com/sr/X7j9AwsBAS3GX2PQPOmvUmkxeMeR4%21FmwYL%21b%21gsSiAI7lo7et4NX6Fo9FCU0sXr2U9s6bVQO2bgE3KctAewCA==>
>>> to report this email as spam.
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>


-- 
---------------------------------------
Roberto Carlos Pantoja Valdizón
Analista de Sistemas
ATI/GDEI/LaGeo

More information about the radiator mailing list