mac-based vlan assignement trough freeradius (windows)

[alf]

Hello,

in order to provide multiple Users Access to different VLANs we use a freeradius(.net) RADIUS-Server to authenticate an assigning a VLAN.

Code in OS6850:

Code: Select all

OS6850P-EG> show configuration snapshot AAA
! AAA :
aaa radius-server "rad1" host 192.168.103.239 key testkey retransmit 3 timeout 2 auth-port 1812 acct-port 1813
aaa authentication default "local"
aaa authentication console "local"
aaa authentication 802.1x rad1
aaa authentication mac rad1
aaa accounting 802.1x rad1
! PARTM :
! AVLAN :
! 802.1x :
802.1x 1/2 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/2 captive-portal session-limit 12 retry-count 3
802.1x 1/2 supp-polling retry 2
802.1x 1/2 supplicant policy authentication pass default-vlan fail vlan 30 block
802.1x 1/2 non-supplicant policy authentication pass default-vlan fail vlan 30 block
802.1x 1/2 captive-portal policy authentication pass default-vlan fail vlan 30 block

users.conf

Code: Select all

# IP-TEST-TELEFON
00809F5619A1	User-Password == "00809F5619A1"
		Tunnel-Type = "VLAN",
		Tunnel-Medium-Type = "IEEE-802",
		Tunnel-Private-Group-Id = "10",
		Auth-Type := local

DEFAULT	Auth-Type := Reject

clients.conf

Code: Select all

### SWITCHE
client 192.168.103.210 {
	secret	= testkey
	shortname	= OmniSwitch-6850P-EG
	nastype     = other
}

The radiusd.conf is default...

The Logifle auth-detail-20090928.log:

Code: Select all

Packet-Type = Access-Request
Mon Sep 28 15:05:08 2009
	User-Name = "00809F5619A1"
	User-Password = "\276\272\272\224\344!\004O\353\020%!H9u\300"
	NAS-IP-Address = 192.168.103.210
	NAS-Port = 1003
	NAS-Port-Type = Async
	Client-IP-Address = 192.168.103.210

The User-Password is send in hash... how can i configure the encryption?

[cedric1]

hello

here a thectips from ALU.

Methode type should be checked in config


https://service.esd.alcatel-lucent.com/ ... umber=2756

Cedric

[benny]

It is always a hash and your radius is smart enough to understand that.

Does vlan 10 exist? You should only return vlans which exist.

What is exactly your issue? What doesn't work?

This configuration works for me in freeradius.net:

Tunnel-Private-Group-ID = "10"
Tunnel-Medium-Type = "Ether-802" (IEEE-802 should also work - check that it is 0x6)
Tunnel-Type = "VLAN"

-benny

[alf]

Hi @ all,

the problem is solved and anything works fine.

here my working configuration:

Code: Select all

vlan port mobile 1/1
vlan port 1/1 802.1x enable

! AAA :
aaa radius-server "rad1" host 192.168.100.1 key testkey retransmit 3 timeout 2 auth-port 1812 acct-port 1813 
aaa radius-server "rad2" host 192.168.100.2 key testkey retransmit 3 timeout 2 auth-port 1812 acct-port 1813 
aaa authentication 802.1x rad1 rad2
aaa authentication mac rad1 rad2

802.1x 1/1 direction both port-control auto quiet-period 60 tx-period 30 supp-timeout 30 server-timeout 30 max-req 2 re-authperiod 3600 no reauthentication
802.1x 1/1 captive-portal session-limit 12 retry-count 3
802.1x 1/1 supp-polling retry 2 
802.1x 1/1 supplicant policy authentication pass group-mobility default-vlan fail vlan 30 block
802.1x 1/1 non-supplicant policy authentication pass default-vlan fail vlan 30 block
802.1x 1/1 captive-portal policy authentication pass default-vlan fail block

the solution for my problem:
never touch the radiusd.conf with wordpad! in the default setting, anything works fine for me! nothing to change in it!

i hold it in head not out