Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

WLC 5508: 802.1 AAA override; Authenication success no dynamic vlan assignment

WLC 5508: software version 7.0.98.0

Windows 7 Client

Radius Server:  Fedora Core 13 / Freeradius with LDAP storage backend

I have followed the guide at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml with respective to building the LDAP and free radius server.  802.1x authorization and authenication correctly work.  The session keys are returned from the radius server and the wlc send the appropriate information for the client to generate the WEP key.

However, the WLC does not override the VLAN assignment, even though I was to believe I set everything up correctly.  From the packet capture, you can see that verfication of client is authorized to use the WLAN returns the needed attributes:

AVP: l=4  t=Tunnel-Private-Group-Id(81): 10

AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)

AVP: l=6  t=Tunnel-Type(64): VLAN(13)

I attached a packet capture and wlc config, any guidance toward the attributes that may be missing or not set correctly in the config would be most appreciated.

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

Seems like WLC is not receiving any vlan attribute. Now that I retook a look at your sniffer trace... The radius access-accept doesn't contain the vlan attributes either ! So no wonder WLC doesn't know about any vlan :-)

Can you make sure that freeradius is sending them ? Because if they don't appear in a sniffer trace ....

Nicolas

===

Don't forget to rate answers that you find useful

Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

Hi,

As Nico wrote, the attributes are not in the access-accept:

please make sure that:

AVP: l=4  t=Tunnel-Private-Group-Id(81): 10

AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)

AVP: l=6  t=Tunnel-Type(64): VLAN(13)

Are sent on the access-accept.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

8 REPLIES
Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

You enabled aaa override, you have an interface in the assigned vlan. All looks good.

Please collect a "debug client " so that we can eventually see why the WLC doesn't assign the correct interface.

Nicolas

===

Don't forget to rate answers that you find useful

Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

I have not deployed dynamic VLANs via the WLC however just as a note Free RADIUS is not officially supported, however I have deployed Free RADIUS myself and I assume that if the RADIUS messages are properly formulated it should not really make a difference. Just an observation

Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

client and dot1x aaa captured.  i had capture aaa before this post, but couldn't get much out of it.

Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

Seems like WLC is not receiving any vlan attribute. Now that I retook a look at your sniffer trace... The radius access-accept doesn't contain the vlan attributes either ! So no wonder WLC doesn't know about any vlan :-)

Can you make sure that freeradius is sending them ? Because if they don't appear in a sniffer trace ....

Nicolas

===

Don't forget to rate answers that you find useful

Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

Hi,

As Nico wrote, the attributes are not in the access-accept:

please make sure that:

AVP: l=4  t=Tunnel-Private-Group-Id(81): 10

AVP: l=6  t=Tunnel-Medium-Type(65): IEEE-802(6)

AVP: l=6  t=Tunnel-Type(64): VLAN(13)

Are sent on the access-accept.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

Thanks.  So this does clear things up and makes sense that the attributes should be sent during the accept message.  My original observation was seeing the attributes were sent during Peap start after the client identify message (2nd packet in the trace).  I'll look and see if I can get these attributes sent during the final accept authenication message.

I'll add an update to this post once complete.

Cisco Employee

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

Yes good catch, so I had one setting left off in freeradius that allowed the inner reply attributes back to the outer tunneled accept.  I wrote up a medium high level config for any future viewers of this thread:

The following was tested and verified on a fedora 13 installation.   This is a minimal setup; not meant for a "live" network (security issues  with cleartext passwords, ldap not indexed properly for performance)

Install Packages

1.  Install needed packages.

yum install openldap*

yum install freeradius*

2.  Set the services to automatically start of system startup

chkconfig --level 2345 slapd on

chkconfig --level 2345 radiusd on

Configure and start LDAP

1.  Copy the needed ladp schemas for radius.  Your path may vary a bit

cp /usr/share/doc/freeradius*/examples/openldap.schema /etc/openldap/schema/radius.schema

2.  Create a admin password for slapd.  Record this password for later use when configuring the slapd.conf file

slappasswd

3.  Add the ldap user and group; if it doesn't exisit.  Depending on the install rpm, it may have been created

useradd ldap

groupadd ldap

4.  Create the directory and assign permissions for the database files

mkdir /var/lib/ldap

chmod 700 /var/lib/ldap

chown ldap:ldap /var/lib/ldap

5.  Edit the slapd.conf file.

cd /etc/openldap

vi slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
#Default needed schemas
include        /etc/openldap/schema/corba.schema
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/duaconf.schema
include        /etc/openldap/schema/dyngroup.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/java.schema
include        /etc/openldap/schema/misc.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/openldap.schema
include        /etc/openldap/schema/ppolicy.schema
include        /etc/openldap/schema/collective.schema
#Radius include
include        /etc/openldap/schema/radius.schema
#Samba include
#include        /etc/openldap/schema/samba.schema
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org
pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
#Use the berkely database
database    bdb
#dn suffix, domain components read in order
suffix        "dc=cisco,dc=com"
checkpoint    1024 15
#root container node defined
rootdn        "cn=Manager,dc=cisco,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw        secret
rootpw      

{SSHA}

cVV/4zKquR4IraFEU7NTG/PIESw8l4JI  
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools. (chown ldap:ldap)
# Mode 700 recommended.
directory    /var/lib/ldap
# Indices to maintain for this database
index objectClass                       eq,pres
index uid,memberUid                     eq,pres,sub
# enable monitoring
database monitor
# allow onlu rootdn to read the monitor
access to *
         by dn.exact="cn=Manager,dc=cisco,dc=com" read
         by * none

6.  Remove the slapd.d directory

cd /etc/openldap

rm -rf slapd.d

7.  Hopefully if everything is correct, should be able to start up slapd with no problem

service slapd start

8.  Create the initial database in a text file called /tmp/initial.ldif

dn: dc=cisco,dc=com
objectClass: dcobject
objectClass: organization
o: cisco
dc: cisco
dn: ou=people,dc=cisco,dc=com
objectClass: organizationalunit
ou: people
description: people
dn: uid=jonatstr,ou=people,dc=cisco,dc=com
objectClass: top
objectClass: radiusprofile
objectClass: inetOrgPerson
cn: jonatstr
sn: jonatstr
uid: jonatstr
description: user Jonathan Strickland
radiusTunnelType: VLAN
radiusTunnelMediumType: 802
radiusTunnelPrivateGroupId: 10
userPassword: ggsg

9.  Add the file to the database

ldapadd -h localhost -W -D "cn=Manager, dc=cisco,dc=com" -f /tmp/initial.ldif

10.  Issue a basic query to the ldap db, makes sure that we can request and receive results back

ldapsearch -h localhost -W -D cn=Manager,dc=cisco,dc=com -b dc=cisco,dc=com -s sub "objectClass=*"

Configure and Start FreeRadius

1. Configure ldap.attrmap, if needed.  This step is only needed if we  need to map and pass attributes back to the authenicator (dynamic vlan  assignments as an example).  Below is an example for dynamic vlan  addresses

cd /etc/raddb

vi ldap.attrmap

For dynamic vlan assignments, verify the follow lines exist:

replyItem    Tunnel-Type                                   radiusTunnelType

replyItem    Tunnel-Medium-Type                   radiusTunnelMediumType

replyItem    Tunnel-Private-Group-Id              radiusTunnelPrivateGroupId

Since we are planning to use the userpassword, we will let the mschap  module perform the NT translations for us.  Add the follow line to  check ldap object for userpassword and store as Cleartext-Password:

checkItem    Cleartext-Password    userPassword

2.  Configure eap.conf.  The following sections attributes below  should be verified.  You may change other attributes as needed, they are  just not covered in this document.

eap

{      default_eap_type = peap      .....  }

tls {

    #I will not go into details here as this is beyond scope of  setting up freeradisu.  The defaults will work, as freeradius comes with  generated self signed certificates.

}

peap {

    default_eap_type = mschapv2

    #you will have to set this to allowed the inner tls tunnel  attributes into the final accept message

    use_tunneled_reply = yes

     ......

}

3.  Change the authenication and authorization modules and order.

cd /etc/raddb/sites-enabled

vi default

For the authorize section, uncomment the ldap module.

For the authenicate section, uncomment the ldap module

vi inner-tunnel

Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:

authorize

{      ldap      mschap      ......  }

4.  Configure ldap module

cd /etc/raddb/modules

ldap

{        server=localhost       identify = "cn=Manager,dc=cisco,dc=com"        password=admin       basedn="dc=cisco,dc=com"       base_filter =  "(objectclass=radiusprofile)"       access_attr="uid"       ............   }

5.  Start up radius in debug mode on another console

radiusd -X

6.  radtest localhost 12 testing123

You should get a Access-Accept back

7.  Now to perform an EAP-PEAP test.  This will require a wpa_supplicant test libarary called eapol_test

First install openssl support libraries, required to compile

yum install openssl*

yum install gcc

wget http://hostap.epitest.fi/releases/wpa_supplicant-0.6.10.tar.gz

tar xvf wpa_supplicant-0.6.10.tar.gz

cd wpa_supplicant-0.6.10/wpa_supplicant

vi defconfig

Uncomment CONFIG_EAPOL_TEST = y and save/exit

cp defconfig .config

make eapol_test

cp eapol_test /usr/local/bin

chmod 755 /usr/local/bin/eapol_test

8.  Create a test config file named eapol_test.conf.peap

network=

{   eap=PEAP  eapol_flags=0  key_mgmt=IEEE8021X  identity="jonatstr"   password="ggsg"  \#If you want to verify the Server certificate the  below would be needed   \#ca_cert="/root/ca.pem"  phase2="auth=MSCAHPV2"   }

}

9.  Run the test

eapol_test -c ~/eapol_test.conf.peap -a 127.0.0.1 -p 1812 -s testing123

Re: WLC 5508: 802.1 AAA override; Authenication success no dynam

Hi Jonathan,

I want to thank you so much for your post. I have been debugging this issue for the last 2 days and tried different things but nothing would work!

Now I get the AAA overrides in the Access-accept packet:

*Dot1x_NW_MsgTask_3: Jul 13 12:01:02.903: 00:13:02:a0:bd:9b Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1

                vlanIfName: 'employes', aclName: ''

At the end of the day, I was missing this:

3.  Change the authenication and authorization modules and order.

cd /etc/raddb/sites-enabled

vi default

Very importants, for the authorize section, ensure the ldap module is first, before mschap.  Thus authorize will look like:

authorize

{      ldap      mschap      ......  }

I had them both but mschap was before ldap!!!

4971
Views
5
Helpful
8
Replies
CreatePlease to create content