FreeRadius – VLAN Attribution Working with Radtest but Not with WPA_Supplicant

freeradiusopenldapvlan

Both of my services freeradius and openldap are on the same server. The schema Freeradius is loaded into openldap.

I configured the radiusProfileDN of a user to link to a group. In this group, I have radiusReplyAttribute set to give the informations of the vlan.

When I use the command radtest in local (or from the remote and already authenticated client), I recieve an Access-Accept packet (radius protocol) containing the information for the vlan. A wireshark capture show the information for the vlan is in the packet.

  LDAP + Radius                      LDAP + Radius ----- Switch ----- Client
    <--------                              <-----------------------------
    -------->              or              ----------------------------->
   *vlan info*                                       *vlan info*

When I use the tool wpa_supplicant (peap-gtc protocol), I authenticate with success but the client port is not added to the vlan group. A wireshark capture show the Access-Accept packet exchanged between the switch and the Radius server dont have the vlan information in it.

LDAP + Radius ----- Switch ----- Client
  <------------------    <----------
  ------------------>    ---------->
    *no vlan info*      wpa_supplicant

From the log of openldap, the same steps are made for the authentication with radtest or wpa_supplicant :

read access allowed for radiusReplyAttribute on 'mygroup'
result was in cache (radiusReplyAttribute)
send_search_entry exit
send_ldap_result & send_ldap_response

In the ldap server, I tried putting the vlan information directly in the user, or in the already made "variable" for the vlan info but I get the same result.

Do you know where my problem come from ? It seems related to wpa_supplicant using a different protocol than the radtest command and freeradius (maybe I miss a line in the configuration) ?

Best Answer

I am using the peap-gtc protocol for authentication.

To pass the attribute information in the Access-Accept packet, I had to edit the following freeradius file : mods-enabled/eap.

peap {
    use_tunneled_reply = yes
}

Now the switch port get configured in the corresponding vlan.

Related Solutions

Ldap – Auth-Type :- Reject in RADIUS users file matches inner tunnel request but sends Access-Accept

For some strange reason, setting Auth-Type is a check item, not a reply item, and therefore this must be done on the first line of the rule. The following works correctly:

DEFAULT FreeRADIUS-Proxied-To == "127.0.0.1", Auth-Type := Reject
    Reply-Message = "User does not belong to any groups which may access this SSID."

How to Freeradius assign a VLAN ID to the authenticated client

I am using a database to store the credentials of the users. I need to configure the freeradius replies in it instead of the user file.

The table radusergroup link a user to a group. The table radgroupreply add response to the validation message sent to the authenticator to all the group member authentication.

This is a sql file you can load (edit it as you need) with mysql -u root -p database < vlan_file.sql :

-- link a user to a group
INSERT INTO radusergroup (username,groupname) VALUES ('username', 'mygroup');

-- link a group to replies
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Type', ':=', '13');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Medium-Type', ':=', '6');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Private-Group-Id', ':=', 'VLAN ID');

Here is my tables :

mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| test     | mygroup   |        1 |
+----------+-----------+----------+
1 row in set (0.00 sec)
mysql>
mysql> select * from radgroupreply;
+----+-----------+-------------------------+----+-------+
| id | groupname | attribute               | op | value |
+----+-----------+-------------------------+----+-------+
| 5  | mygroup   | Tunnel-Type             | := | 13    |
| 6  | mygroup   | Tunnel-Medium-Type      | := | 6     |
| 9  | mygroup   | Tunnel-Private-Group-Id | := | 5     |
+----+-----------+-------------------------+----+-------+
3 rows in set (0.00 sec)
mysql> exit
Bye

When i trie with the command radtesti get the replies for the VLAN ID :

root@Debian10n2:# radtest test motdepasse 192.168.150.1 1812 passroot
Sent Access-Request Id 243 from 0.0.0.0:54448 to 192.168.150.1: 1812 length 74
User-Name = "test"
User-Password = "motdepasse"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "motdepasse"
Received Access-Accept Id 243 from 192.168.150.1:1812 to 192.168.150.30:54448 length 35
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
root@Debian10n2: #

Best Answer

Related Solutions

Ldap – Auth-Type :- Reject in RADIUS users file matches inner tunnel request but sends Access-Accept

How to Freeradius assign a VLAN ID to the authenticated client

Related Topic