0

I am using Freeradius to authenticate users in PEAP-GTC and I want it to give a VLAN ID to the authenticator which will be assigned to the port of the authenticated client.

The authenticator is already configured to assign the VLAN ID recieved by the radius server to the port of the client, and to create the vlan if it does not exist.

On the Freeradius server i tried several things found on the internet to send the VLAN ID to the authenticator :

  • In the users file :

    DEFAULT Auth-Type := EAP   # and also DEFAULT NAS-Port-Type == "Ethernet"
Tunnel-Type = 13,
Tunnel-Medium-TYpe=6,
Tunnel-Private-Group-Id=5

  • In the eap module file :

    eap {
     use_tunneled_reply = yes
     ....
peap {
     use_tunneled_reply = yes

  • In the inner-tunnel sites file :

    post-auth {
           ....
           update {
                   &outer.session-state.Tunnel-Type := Tunnel-Type[*]
                   &outer.session-state.Tunnel-Medium-Type := Tunnel-Medium-Type[*]
                   &outer.session-state.Tunnel-Private-Group-Id := Tunnel-Private-Group-Id[*]
                   &outer.session-state.User-Name := Use-Name[*]
                   &outer.session-state: += &rpely:
                   }

The authenticator keep assigning the default vlan to the connected users, freeradius doesn't seem so send the vlan id.

Do you know how can freeradius assign a VLAN to the authenticated users ?

molik
  • 69
  • 2
  • 11

2 Answers2

0

I am using a database to store the credentials of the users. I need to configure the freeradius replies in it instead of the user file.

The table radusergroup link a user to a group. The table radgroupreply add response to the validation message sent to the authenticator to all the group member authentication.

This is a sql file you can load (edit it as you need) with mysql -u root -p database < vlan_file.sql :

-- link a user to a group
INSERT INTO radusergroup (username,groupname) VALUES ('username', 'mygroup');

-- link a group to replies
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Type', ':=', '13');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Medium-Type', ':=', '6');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Private-Group-Id', ':=', 'VLAN ID');

Here is my tables :

mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| test     | mygroup   |        1 |
+----------+-----------+----------+
1 row in set (0.00 sec)
mysql>
mysql> select * from radgroupreply;
+----+-----------+-------------------------+----+-------+
| id | groupname | attribute               | op | value |
+----+-----------+-------------------------+----+-------+
| 5  | mygroup   | Tunnel-Type             | := | 13    |
| 6  | mygroup   | Tunnel-Medium-Type      | := | 6     |
| 9  | mygroup   | Tunnel-Private-Group-Id | := | 5     |
+----+-----------+-------------------------+----+-------+
3 rows in set (0.00 sec)
mysql> exit
Bye

When i trie with the command radtesti get the replies for the VLAN ID :

root@Debian10n2:# radtest test motdepasse 192.168.150.1 1812 passroot
Sent Access-Request Id 243 from 0.0.0.0:54448 to 192.168.150.1: 1812 length 74
User-Name = "test"
User-Password = "motdepasse"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "motdepasse"
Received Access-Accept Id 243 from 192.168.150.1:1812 to 192.168.150.30:54448 length 35
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
root@Debian10n2: #
molik
  • 69
  • 2
  • 11
0

In modern freeradius 3 - use_tunneled_reply = yes is deprecated. Proper inner-tunnel post-auth should be processed in "sites-available/inner-tunnel". Instead of setting use_tunneled_reply = yes, uncomment if(0) option in post-auth {}

post-auth {
- - - - 8< - - - -
#
#  Instead of "use_tunneled_reply", change this "if (0)" to an
#  "if (1)". 
#
#if (0) {
if (1) {
  #
  #  These attributes are for the inner-tunnel only,
  #  and MUST NOT be copied to the outer reply.
  #
- - - - 8< - - - -
}
George Eliozov
  • 1