Powered by Jitbit Forum free trial version.
home recent topics recent posts search faq  

TekRADIUS Forum


register | lost password   open id
Messages in this topic - RSS

Home » General » Mulitple vlan's

General issues
show rated messages only |
21.11.2011 17:30:53

osko001
osko001
Posts: 8 		Hello, I am using tekradius now for a test and it is working quit fine, but I have one question about it.

an Example.

I have 3 stacks of switches with some vlans and tree of them are called this way:

stack 1: vlan ID 1 - "clients_A"
stack 2: vlan ID 2 - "clients_B"
stack 3: vlan ID 3 - "clients_C"

I have one tekradius server with one database.
the tree stacks all have an different ip addres and directs to the same tekradius.

In tek radius one of the groups in called clients with the following configuration:
tunnel private group id = 1

But with this configuration the user can only work on the first stack because the other stacks doesn't recognize vlan ID 1 as they are not configured on that switch. It it possbile to to connect one user to tree groups or add 3 vlan id's to one group?

What i acctually want is dynamic vlan's location based.

I hope it is a bit clear.
0 permalink
22.11.2011 16:07:30

Admin
Admin
Administrator
Posts: 1833 		Should TekRADIUS return tunnel private group id = 2 when user logged in from Stack 2?
0 permalink
22.11.2011 16:31:40

osko001
osko001
Posts: 8 		Yes indeed, I want the users to be part of one group in de database but when they log in from stack 1 they need tunnel private group 1 and when they logged in from stack 2 they need tunnel private group id 2 and so on.
0 permalink
23.11.2011 15:48:17

Admin
Admin
Administrator
Posts: 1833 		You can use Next-Group attribute to chain group profiles. If you would like to authenticate a session according to NAS-IP-Address but NAS-IP-Address could have three different values, you can create three different group profiles for each NAS-IP-Address value and chain them using Next-Group parameter. Next-Group attribute can be used in just group profiles as a check attribute. Please note that attributes in user profiles overrides group attributes so do not use attributes in chained groups in user profiles. TekRADIUS will try to authenticate incoming access-request with user attributes and primary group attributes first and if it fails, TekRADIUS will try to authenticate again with user attributes and next group’s attributes.

Next-Group is a string type attribute and can exist only as a check attribute in group profiles. Next -Group is not supported with PEAP authentication.
0 permalink
23.11.2011 18:03:17

osko001
osko001
Posts: 8 		Oke, I have configured this now but it doesn't seem to work, what I did:

Create a user member of group clients_A


created a group clients_A:

NAS-IP-Address check 10.7.0.10
Next-Group check clients_B
Service-Type Success-reply Framed
Tunnel-Type success-reply VLAN
Tunnel-Medium-Type Success-reply 802
Framed-Protocol Success-reply PPP
Tunnel-Private-Group-ID Sucess-reply 1

Created a group clients_B

NAS-IP-Address check 10.7.0.11
Next-Group check clients_C
Service-Type Success-reply Framed
Tunnel-Type success-reply VLAN
Tunnel-Medium-Type Success-reply 802
Framed-Protocol Success-reply PPP
Tunnel-Private-Group-ID Sucess-reply 2

Created a group clients_C

NAS-IP-Address check 10.7.0.12
Next-Group check clients_B
Service-Type Success-reply Framed
Tunnel-Type success-reply VLAN
Tunnel-Medium-Type Success-reply 802
Framed-Protocol Success-reply PPP
Tunnel-Private-Group-ID Sucess-reply 3


Computers in the clients_A network are connected normally but the computers in clients_B and C are not connected

Example log from a juniper switch form 1 interface:



ge-0/0/0.0
Role: Authenticator
Administrative state: Auto
Supplicant mode: Multiple
Number of retries: 3
Quiet period: 60 seconds
Transmit period: 30 seconds
Mac Radius: Enabled
Mac Radius Restrict: Enabled
Reauthentication: Enabled
Configured Reauthentication interval: 90 seconds
Supplicant timeout: 30 seconds
Server timeout: 30 seconds
Maximum EAPOL requests: 2
Guest VLAN member: Switches-Firewalls
Number of connected supplicants: 1
Supplicant: 002275d6b837, 00:22:75Big Grin6:B8:37
Operational state: Held
Backend Authentication state: Idle
Authentcation method: Fail
Authenticated VLAN: Quarantine_VLAN
Session Reauth interval: 0 seconds
Reauthentication due in 0 seconds

<em>edited by osko001 on 25.11.2011</em>
0 permalink
24.11.2011 15:23:58

Admin
Admin
Administrator
Posts: 1833 		Hi,

Can you send TekRADIUS log entries (Accessible through File menu) after setting log level to debug at Settings / Service Parameters?

Best regards,

Yasin KAPLAN
0 permalink
25.11.2011 09:28:43

osko001
osko001
Posts: 8 		This is the log of one entry which failes:


RadAuth req. from : 10.7.0.11:58282 - 25-11-2011 8:23:41
Size : 175 / 175
Identifier : 135
Attributes :

25-11-2011 8:23:41 - Starting PEAP (A).

NAS-Identifier = DV-B-SW-01
NAS-Port-Id = ge-0/0/0.0
NAS-Port-Type = 15
Called-Station-Id = 5c-5e-ab-7f-75-00
Acct-Session-Id = 8O2.1x81a604a7000f0c1d
Calling-Station-Id = 00-22-75-d6-b8-37
NAS-IP-Address = 10.7.0.11
NAS-Port = 68
User-Name = 002275d6b837

25-11-2011 8:23:41 - EAP Authentication commencing for user '002275d6b837'

25-11-2011 8:23:41 - Check items control - Start (Group : Clients_A).

25-11-2011 8:23:41 - Check items control - Stop (Group : Clients_A).

25-11-2011 8:23:41 - EAP Authentication commencing for user '002275d6b837'

25-11-2011 8:23:41 - Check items control - Start (Group : Clients_B).

25-11-2011 8:23:41 - Check items control - Stop (Group : Clients_B).

25-11-2011 8:23:41 - Authentication failed for user '002275d6b837'


Is does go to the next group but then it failes, when I ad the user 002275d6b837 directly to clients_B is does work with this log as result:


NAS-Port-Id = ge-0/0/0.0
NAS-Identifier = DV-B-SW-01
NAS-IP-Address = 10.7.0.11
Calling-Station-Id = 00-22-75-d6-b8-37
State = eff46c882decace9bbd8abbe686b088e
User-Name = 002275d6b837
NAS-Port = 68
NAS-Port-Type = 15
Called-Station-Id = 5c-5e-ab-7f-75-00
Acct-Session-Id = 8O2.1x81a604af0003891a

25-11-2011 11:33:39 - EAP Authentication commencing for user '002275d6b837'

25-11-2011 11:33:39 - CHAP authentication commencing (Group : Clients_B).

25-11-2011 11:33:39 - CHAP authentication successful (Group : Clients_B).

25-11-2011 11:33:39 - Check items control - Start (Group : Clients_B).

25-11-2011 11:33:39 - Check items control - Stop (Group : Clients_B).

25-11-2011 11:33:39 - Authentication successfull for user '002275d6b837'

25-11-2011 11:33:39 - Fetching Success-Reply items - Start.

25-11-2011 11:33:39 - Fetching Success-Reply items - Stop.

25-11-2011 11:33:39 - Generating Reply Packet - Start.

25-11-2011 11:33:39 - Generating Reply Packet - Stop.

RadAuth reply to : 10.7.0.11:58282 - 25-11-2011 11:33:39
Size : 88
Identifier : 140
Attributes :

<em>edited by osko001 on 25.11.2011</em>
0 permalink
25.11.2011 12:54:47

osko001
osko001
Posts: 8 		Also a little correction to my earlier post, the computers behind clients B didn't get authenticated to that vlan, but there was a settings in the switch that put the clients also in vlan Client_B when the authentication failed so you can ignore that one.
0 permalink
26.11.2011 13:11:21

Admin
Admin
Administrator
Posts: 1833 		Hi,

I've fixed the problem. Please download and test the latest built which I've posted to TekRADIUS
web site a couple of minutes ago. Uninstall previous built before installing the new built. You should backup existing
TekRADIUS.mdb and TekRADIUS.ini under TekRADIUS application directory.

Best regards,

Yasin KAPLAN
0 permalink
28.11.2011 12:30:00

osko001
osko001
Posts: 8 		I installed the latest version on the website (is it correct that it is version 4.3.0.0?) but the problem is still the same.
0 permalink
28.11.2011 14:18:49

Admin
Admin
Administrator
Posts: 1833 		Hi,

Can you send TekRADIUS log entries again?

Best regards,

Yasin KAPLAN
0 permalink
28.11.2011 14:23:45

osko001
osko001
Posts: 8 		Hello,

Hereby my log again:


28-11-2011 13:23:00 - Starting PEAP (A).

NAS-Identifier = DV-B-SW-01
NAS-Port-Id = ge-0/0/0.0
NAS-Port-Type = 15
Called-Station-Id = 5c-5e-ab-7f-75-00
Acct-Session-Id = 8O2.1x81a605e000074cb3
Calling-Station-Id = 00-22-75-d6-b8-37
NAS-IP-Address = 10.7.0.11
NAS-Port = 68
User-Name = 002275d6b837

28-11-2011 13:23:00 - EAP Authentication commencing for user '002275d6b837'

28-11-2011 13:23:00 - Check items control - Start (Group : Clients_A).

28-11-2011 13:23:00 - Check items control - Stop (Group : Clients_A).

28-11-2011 13:23:00 - EAP Authentication commencing for user '002275d6b837'

28-11-2011 13:23:00 - Check items control - Start (Group : Clients_B).

28-11-2011 13:23:00 - Check items control - Stop (Group : Clients_B).

28-11-2011 13:23:00 - Authentication failed for user '002275d6b837'

RadAuth req. from : 10.7.0.11:58282 - 28-11-2011 13:23:00
Size : 175 / 175
Identifier : 81
Attributes :
0 permalink
28.11.2011 16:45:28

Admin
Admin
Administrator
Posts: 1833 		Hi,

I've fixed the problem. Please download and test the latest built which I've posted to TekRADIUS
web site a couple of minutes ago. Version is still 4.3. I've tested and it should work. Here are user and group profiles;





Best regards,

Yasin KAPLAN
<em>edited by Admin on 28.11.2011</em>
0 permalink
05.12.2011 11:25:35

osko001
osko001
Posts: 8 		Thanks, it is working now!
0 permalink
05.12.2011 16:41:34

Admin
Admin
Administrator
Posts: 1833 		You welcome
0 permalink
show rated messages only |

Home » General » Mulitple vlan's




Powered by Jitbit Forum 7.2.13.0 © 2006-2011 Jitbit Software