Comware Based
cancel
Showing results for 
Search instead for 
Did you mean: 

3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment

 
OlegWoznesensky
Occasional Visitor

3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment


Does anyone experienced with the task of setting dynamic vlan assigment on 5500-el + FREERADIUS?

I found in the documentation that for dynamically assign VLAN are used RADIUS attributes:

    [64] Tunnel-Type=VLAN (type 13)
    [65] Tunnel-Medium-Type=802 (type 6)
    [81] Tunnel-Private-Group-ID=VLANID (или VLAN name)

And should be an option "vlan-assignment-mode" in the domain settings on the device.


Freeradius send these attributes:
===========================================
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[peap] Got tunneled reply code 2
        Tunnel-Private-Group-Id:0 = "30"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xdf530
        MS-MPPE-Recv-Key = 0xecd14
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "sadm"
[peap] Got tunneled reply RADIUS code 2
        Tunnel-Private-Group-Id:0 = "30"
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Type:0 = VLAN
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        MS-MPPE-Send-Key = 0xdf530
        MS-MPPE-Recv-Key = 0xecd14
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "sadm"
[peap] Tunneled authentication was successful.
[peap] SUCCESS
===========================================

The device receives these attributes:
===========================================
*0.953995479 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Receive:IP=[10.0.200.27],Code=[11],Length=[108]
*0.953995481 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[7  Framed-Protocol             ] [6 ] [1]
[13 Framed-Compression          ] [6 ] [1]
[81 Tunnel_Private_Group_ID     ] [4 ] [30]
[65 Tunnel-Medium-Type          ] [6 ] [6]
[64 Tunnel-Type                 ] [6 ] [13]
[79 EAP-Message                 ] [24] [0103001]
*0.953995484 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[80 Message-Authenticator       ] [18] [70469DB]
[24 State                       ] [18] [5FC6F82]
*0.953995505 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Recv MSG,[MsgType=EAP auth request Index = 127, ulParam3=2191181076]
*0.953995507 Switch5500-LCG2 RDS/8/DEBUG:- 1 -NAS name is too long, can not send Connect_port attribute
*0.953995509 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Send attribute list:
*0.953995511 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[1  User-name                   ] [6 ] [sadm]
[79 EAP-Message                 ] [8 ] [020300060319]
[80 Message-Authenticator       ] [18] [00000000000000000000000000000000]
[4  NAS-IP-Address              ] [6 ] [10.0.20.150]
[32 NAS-Identifier              ] [14] [00186e435b82]
[5  NAS-Port                    ] [6 ] [16969729]
*0.953995513 Switch5500-LCG2 RDS/8/DEBUG:- 1 -
[61 NAS-Port-Type               ] [6 ] [15]
[6  Service-Type                ] [6 ] [2]
[7  Framed-Protocol             ] [6 ] [1]
[31 Caller-ID                   ] [16] [6338306]
[24 State                       ] [18] [5FC6F82]
*0.953995515 Switch5500-LCG2 RDS/8/DEBUG:- 1 -Send: IP=[10.0.200.27], UserIndex=[127], ID=[33], RetryTimes=[0], Code=[1], Length=[130]
===========================================

But after auth success, port going in to VLAN 1 (default).

Ie 802.1x works, but without the auto-vlan.

Maybe someone can give an example of the working config for 5500-El, or give a good hint?

My 5500-El config:

===========================================
#
sysname Switch5500-LCG2
#
undo password-control aging enable
undo password-control length enable
undo password-control history enable
password-control login-attempt 3 exceed lock-time 120
#
super password level 3 simple xxxxxxxxx
#
local-server nas-ip 127.0.0.1 key 3com
#
domain default enable md.local
#
igmp-snooping enable
#
dot1x
dot1x authentication-method eap
undo dot1x handshake enable
#
radius scheme system
radius scheme radius1
server-type standard
primary authentication 10.0.200.27
primary accounting 10.0.200.27
accounting optional
key authentication xxxxxxxxx
key accounting xxxxxxxxx
timer realtime-accounting 15
timer response-timeout 5
retry 5
user-name-format without-domain
accounting-on enable
#
domain md.local
scheme radius-scheme radius1
vlan-assignment-mode string
accounting optional
domain system
#
local-user admin
password simple xxxxxxxxx
service-type ssh telnet terminal
level 3
local-user localuser
password simple xxxxxxxxx
service-type lan-access
service-type ssh telnet terminal
level 3
local-user manager
password simple xxxxxxxxx
service-type ssh telnet terminal
level 2
local-user monitor
password simple xxxxxxxxx
service-type ssh telnet terminal
level 1
#
acl number 3997
rule 0 permit ip dscp ef
rule 1 permit tcp destination-port eq www
rule 2 permit udp destination-port eq snmp
rule 3 permit udp destination-port eq snmptrap
rule 4 permit ip dscp cs6
rule 5 permit ip dscp cs7
#
acl number 4999
rule 0 permit type 8868 ffff
rule 1 permit source 00e0-bb00-0000 ffff-ff00-0000
rule 2 permit source 0003-6b00-0000 ffff-ff00-0000
rule 3 permit source 00e0-7500-0000 ffff-ff00-0000
rule 4 permit source 00d0-1e00-0000 ffff-ff00-0000
rule 5 permit source 0001-e300-0000 ffff-ff00-0000
rule 6 permit source 000f-e200-0000 ffff-ff00-0000
rule 7 permit source 0006-b900-0000 ffff-ff00-0000
rule 8 deny dest 0000-0000-0000 ffff-ffff-ffff
#
qos-profile default
packet-filter inbound link-group 4999 rule 8
traffic-priority inbound ip-group 3997 rule 0 cos voice
traffic-priority inbound ip-group 3997 rule 4 cos network-management
traffic-priority inbound ip-group 3997 rule 5 cos network-management
traffic-priority inbound link-group 4999 rule 0 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 1 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 2 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 3 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 4 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 5 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 6 dscp ef cos voice
traffic-priority inbound link-group 4999 rule 7 dscp ef cos voice
#
vlan 1
igmp-snooping enable
#
vlan 2
description NONCOMPLIANT_VLAN
#
vlan 3
description COMPLIANT_VLAN
#
vlan 30
description Test
name test
#
vlan 101
#
interface Vlan-interface1
ip address 10.0.210.250 255.0.0.0
#
ntp-service unicast-server 10.0.0.123
#
interface Aux1/0/0
#
interface Ethernet1/0/1
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
apply qos-profile default
#


[SKIP]


interface Ethernet1/0/47
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
dot1x port-method portbased
dot1x
apply qos-profile default
#
interface Ethernet1/0/48
stp edged-port enable
broadcast-suppression pps 3000
undo jumboframe enable
apply qos-profile default
#

[SKIP]

#
undo xrn-fabric authentication-mode
#
interface NULL0
#
voice vlan mac-address 0001-e300-0000 mask ffff-ff00-0000 description Siemens AG phone
voice vlan mac-address 0006-b900-0000 mask ffff-ff00-0000 description Philips and NEC AG phone
#
ip route-static 0.0.0.0 0.0.0.0 10.0.0.123 preference 60
#
snmp-agent
#
user-interface aux 0 7
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
#
return
===========================================

1 REPLY
vangass
Frequent Advisor

Re: 3com 5500-El + 802.1x + Freeradius + dynamic vlan assigment

Hi,

I have an  experience with dynamic vlans with 5500Ei + freeradius + mysql. I understand that You only need the swtich config. So there it is (I did this with mac-autentication not dot1x commands):

<5500EI>dis cur
#
 MAC-authentication
 MAC-authentication timer offline-detect 600
 MAC-authentication domain xxx
#
radius scheme XYZ
 server-type extended
 primary authentication x.x.x.x
 primary accounting x.x.x.y
 secondary authentication x.x.x.y
 secondary accounting x.x.x.x
 accounting optional
 key authentication yyyyyyyy              
 key accounting yyyyyyyy
 user-name-format without-domain
#
domain xxx
 scheme radius-scheme XYZ
#
interface Ethernet1/0/1
 stp edged-port enable
 broadcast-suppression pps 3000
 MAC-authentication
 MAC-authentication max-auth-num 1
 MAC-authentication guest-vlan 11         
 description NONE
 apply qos-profile default

 If You need any other configuration files let me know.

 

V.