problem with dynamic vlans "authentication server did not include required VLAN ID in Access-Accept"
Peda
peda
Thu Dec 1 05:15:40 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi there
i'm trying to set up a NAS based on OpenWrt running hostapd (version
0.8.x - the one that comes with OpenWrt 10.03.1-rc6). i enabled the
dynamic vlan assignment feature in hostapd by setting:
dynamic_vlan=2
vlan_file=/etc/config/hostapd.vlan
vlan_tagged_interface=eth0
and my /etc/config/hostapd.vlan looks like this:
* wlan0.#
the authentication server is a freeradius 2.1.10 server running on
debian squeeze.
the "intersting" part of that config:
DEFAULT Ldap-Group == teacher
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id := 10,
Reply-Message = "Hello Teacher",
Fall-Through = no
DEFAULT Ldap-Group == student
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id := 11,
Reply-Message = "Hello Student",
Fall-Through = no
every time i try to authenticate via EAP-MSCHAPV2 (using wpa_supplicant
on debian squeeze on my client notebook) i get the
authentication server did not include required VLAN ID in Access-Accept
message in the OpenWrt logs.
the freeradius debugging output gives:
[peap] Got tunneled reply code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 := "11"
Reply-Message = "Hello Student"
i also tried to simulate the authentication using eapol_test. the output
of the coresponding test with eapol_test:
Attribute 64 (Tunnel-Type) length=6
Value: 00 00 00 0d
Attribute 65 (Tunnel-Medium-Type) length=6
Value: 00 00 00 06
Attribute 81 (Tunnel-Private-Group-Id) length=4
Value: 31 31
Attribute 18 (Reply-Message) length=15
Value: 'Hello Student'
where Tunnel-Type 0d (13 == VLAN) Tunnel-Medium-Type 06 (== IEEE-802)
and the Reply-Message seem to correct but the Tunnel-Private-Group-Id is
always 31 31 no matter what value i assign in the freeradius users
config-file.
a simulation with jradius simulator gives the same values in the
access-accept packets for Tunnel-Private-Group-Id as in the freeradius
config.
log output of jradius simulator:
Received RADIUS Packet:
- ----------------------------------------------------------
Class: class net.jradius.packet.AccessAccept
Attributes:
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 11
Reply-Message = Hello Student
MS-MPPE-Encryption-Policy = [Binary Data (length=4)]
MS-MPPE-Encryption-Types = [Binary Data (length=4)]
MS-MPPE-Send-Key = [Binary Data (length=34)]
MS-MPPE-Recv-Key = [Binary Data (length=34)]
EAP-Message = [Binary Data (length=4)]
Message-Authenticator = [Binary Data (length=16)]
User-Name = k9656144
i'm really stuck with the problem because now i don't know how to get my
setup working.
hope to hear some hints or tips from you.
yours peda
- --
If voting really could change anything, it would be illegal of course.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7XffwACgkQ+BwdcVjvuM9lIgCffdq8N7dF7RY0DgCoxFG0B9zr
hEsAnRMimGNCowLeNaocDg2ZKpv7lQVQ
=6Qvn
-----END PGP SIGNATURE-----
More information about the Hostap
mailing list