problem with dynamic vlans "authentication server did not include required VLAN ID in Access-Accept"

Peda peda
Thu Dec 1 05:15:40 PST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hi there

i'm trying to set up a NAS based on OpenWrt running hostapd (version
0.8.x - the one that comes with OpenWrt 10.03.1-rc6). i enabled the
dynamic vlan assignment feature in hostapd by setting:
dynamic_vlan=2
vlan_file=/etc/config/hostapd.vlan
vlan_tagged_interface=eth0
and my /etc/config/hostapd.vlan looks like this:
* wlan0.#
the authentication server is a freeradius 2.1.10 server running on
debian squeeze.
the "intersting" part of that config:
DEFAULT Ldap-Group == teacher
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id := 10,
        Reply-Message = "Hello Teacher",
        Fall-Through = no

DEFAULT Ldap-Group == student
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id := 11,
        Reply-Message = "Hello Student",
        Fall-Through = no

every time i try to authenticate via EAP-MSCHAPV2 (using wpa_supplicant
on debian squeeze on my client notebook) i get the
authentication server did not include required VLAN ID in Access-Accept
message in the OpenWrt logs.

the freeradius debugging output gives:

[peap] Got tunneled reply code 2
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 := "11"
        Reply-Message = "Hello Student"

i also tried to simulate the authentication using eapol_test. the output
of the coresponding test with eapol_test:
   Attribute 64 (Tunnel-Type) length=6
      Value: 00 00 00 0d
   Attribute 65 (Tunnel-Medium-Type) length=6
      Value: 00 00 00 06
   Attribute 81 (Tunnel-Private-Group-Id) length=4
      Value: 31 31
   Attribute 18 (Reply-Message) length=15
      Value: 'Hello Student'

where Tunnel-Type 0d (13 == VLAN) Tunnel-Medium-Type 06 (== IEEE-802)
and the Reply-Message seem to correct but the Tunnel-Private-Group-Id is
always 31 31 no matter what value i assign in the freeradius users
config-file.

a simulation with jradius simulator gives the same values in the
access-accept packets for Tunnel-Private-Group-Id as in the freeradius
config.

log output of jradius simulator:

Received RADIUS Packet:
- ----------------------------------------------------------
Class: class net.jradius.packet.AccessAccept
Attributes:
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-Id = 11
Reply-Message = Hello Student
MS-MPPE-Encryption-Policy = [Binary Data (length=4)]
MS-MPPE-Encryption-Types = [Binary Data (length=4)]
MS-MPPE-Send-Key = [Binary Data (length=34)]
MS-MPPE-Recv-Key = [Binary Data (length=34)]
EAP-Message = [Binary Data (length=4)]
Message-Authenticator = [Binary Data (length=16)]
User-Name = k9656144

i'm really stuck with the problem because now i don't know how to get my
setup working.

hope to hear some hints or tips from you.

yours peda


- -- 
If voting really could change anything, it would be illegal of course.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7XffwACgkQ+BwdcVjvuM9lIgCffdq8N7dF7RY0DgCoxFG0B9zr
hEsAnRMimGNCowLeNaocDg2ZKpv7lQVQ
=6Qvn
-----END PGP SIGNATURE-----



More information about the Hostap mailing list