Answer the question
In order to leave comments, you need to log in
F
F
fara_ib2019-09-21 18:21:15
fara_ib, 2019-09-21 18:21:15
How to set up adding a port to vlan after checking for 802.1x?
Hello. Has anyone done something similar on dlink? How did you do? Interested in setting up a switch and a radius server so that after checking the user, he has access to another vlan while in the guest. I probably check the user on the server, but then silence with vlans.
Thank you.
The result of the client connecting to the switch. (radius stopped and started freeradius -X - debug mode)
(192.168.2.57 is dlink switch, 192.168.2.1 is radius server.)
spoiler
(11) Received Accounting-Request Id 2 from 192.168.2.57:1813 to 192.168.2.1:1813 length 104
(11) User-Name = "bruno"
(11) Acct-Session-Id = "000000000001"
(11) NAS-Identifier = "D-LINK"
(11) NAS-IP-Address = 192.168.2.57
(11) NAS-Port = 12
(11) Acct-Authentic = RADIUS
(11) Acct-Status-Type = Start
(11) Service-Type = Framed-User
(11) Calling-Station-Id = "F4-30-B9-39-35-8D"
(11) Acct-Delay-Time = 0
(11) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(11) preacct {
(11) [preprocess] = ok
(11) policy acct_unique {
(11) update request {
(11) &Tmp-String-9 := "ai:"
(11) } # update request = noop
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(11) EXPAND %{hex:&Class}
(11) -->
(11) EXPAND ^%{hex:&Tmp-String-9}
(11) --> ^61693a
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(11) else {
(11) update request {
(11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11) --> 8239339ed764dc316b058fbd7866bbd6
(11) &Acct-Unique-Session-Id := 8239339ed764dc316b058fbd7866bbd6
(11) } # update request = noop
(11) } # else = noop
(11) } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) [files] = noop
(11) } # preacct = ok
(11) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(11) accounting {
(11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail: --> /var/log/freeradius/radacct/192.168.2.57/detail-20190921
(11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.57/detail-20190921
(11) detail: EXPAND %t
(11) detail: --> Sat Sep 21 16:58:13 2019
(11) [detail] = ok
(11) [unix] = ok
(11) [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response: --> bruno
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11) [attr_filter.accounting_response] = updated
(11) } # accounting = updated
(11) Sent Accounting-Response Id 2 from 192.168.2.1:1813 to 192.168.2.57:1813 length 0
(11) Finished request
(11) Cleaning up request packet ID 2 with timestamp +235
Waking up in 4.9 seconds.
(10) Cleaning up request packet ID 1 with timestamp +235
Ready to process requests
(11) Received Accounting-Request Id 2 from 192.168.2.57:1813 to 192.168.2.1:1813 length 104
(11) User-Name = "bruno"
(11) Acct-Session-Id = "000000000001"
(11) NAS-Identifier = "D-LINK"
(11) NAS-IP-Address = 192.168.2.57
(11) NAS-Port = 12
(11) Acct-Authentic = RADIUS
(11) Acct-Status-Type = Start
(11) Service-Type = Framed-User
(11) Calling-Station-Id = "F4-30-B9-39-35-8D"
(11) Acct-Delay-Time = 0
(11) # Executing section preacct from file /etc/freeradius/3.0/sites-enabled/default
(11) preacct {
(11) [preprocess] = ok
(11) policy acct_unique {
(11) update request {
(11) &Tmp-String-9 := "ai:"
(11) } # update request = noop
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(11) EXPAND %{hex:&Class}
(11) -->
(11) EXPAND ^%{hex:&Tmp-String-9}
(11) --> ^61693a
(11) if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && ("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) -> FALSE
(11) else {
(11) update request {
(11) EXPAND %{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(11) --> 8239339ed764dc316b058fbd7866bbd6
(11) &Acct-Unique-Session-Id := 8239339ed764dc316b058fbd7866bbd6
(11) } # update request = noop
(11) } # else = noop
(11) } # policy acct_unique = noop
(11) suffix: Checking for suffix after "@"
(11) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(11) suffix: No such realm "NULL"
(11) [suffix] = noop
(11) [files] = noop
(11) } # preacct = ok
(11) # Executing section accounting from file /etc/freeradius/3.0/sites-enabled/default
(11) accounting {
(11) detail: EXPAND /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(11) detail: --> /var/log/freeradius/radacct/192.168.2.57/detail-20190921
(11) detail: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.2.57/detail-20190921
(11) detail: EXPAND %t
(11) detail: --> Sat Sep 21 16:58:13 2019
(11) [detail] = ok
(11) [unix] = ok
(11) [exec] = noop
(11) attr_filter.accounting_response: EXPAND %{User-Name}
(11) attr_filter.accounting_response: --> bruno
(11) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(11) [attr_filter.accounting_response] = updated
(11) } # accounting = updated
(11) Sent Accounting-Response Id 2 from 192.168.2.1:1813 to 192.168.2.57:1813 length 0
(11) Finished request
(11) Cleaning up request packet ID 2 with timestamp +235
Waking up in 4.9 seconds.
(10) Cleaning up request packet ID 1 with timestamp +235
Ready to process requests
Test run of the connection check on the radius north (debug mode)
spoiler
(12) Received Access-Request Id 52 from 127.0.0.1:43242 to 127.0.0.1:1812 length 75
(12) User-Name = "bruno"
(12) User-Password = "boss123"
(12) NAS-IP-Address = 127.0.1.1
(12) NAS-Port = 0
(12) Message-Authenticator = 0x3b4dfe0ce0361b2f0cf1fba6839c7b45
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: No EAP-Message, not doing EAP
(12) [eap] = noop
(12) files: users: Matched entry bruno at line 221
(12) [files] = ok
(12) [expiration] = noop
(12) [logintime] = noop
(12) [pap] = updated
(12) } # authorize = updated
(12) Found Auth-Type = PAP
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) Auth-Type PAP {
(12) pap: Login attempt with password
(12) pap: Comparing with "known good" Cleartext-Password
(12) pap: User authenticated successfully
(12) [pap] = ok
(12) } # Auth-Type PAP = ok
(12) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(12) post-auth {
(12) update {
(12) No attributes updated
(12) } # update = noop
(12) [exec] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # post-auth = noop
(12) Sent Access-Accept Id 52 from 127.0.0.1:1812 to 127.0.0.1:43242 length 0
(12) Tunnel-Type = VLAN
(12) Tunnel-Medium-Type = IEEE-802
(12) Tunnel-Private-Group-Id = "20"
(12) Finished request
Waking up in 4.9 seconds.
(12) Cleaning up request packet ID 52 with timestamp +1987
Ready to process requests
(12) User-Name = "bruno"
(12) User-Password = "boss123"
(12) NAS-IP-Address = 127.0.1.1
(12) NAS-Port = 0
(12) Message-Authenticator = 0x3b4dfe0ce0361b2f0cf1fba6839c7b45
(12) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(12) authorize {
(12) policy filter_username {
(12) if (&User-Name) {
(12) if (&User-Name) -> TRUE
(12) if (&User-Name) {
(12) if (&User-Name =~ / /) {
(12) if (&User-Name =~ / /) -> FALSE
(12) if (&User-Name =~ /@[^@]*@/ ) {
(12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(12) if (&User-Name =~ /\.\./ ) {
(12) if (&User-Name =~ /\.\./ ) -> FALSE
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(12) if (&User-Name =~ /\.$/) {
(12) if (&User-Name =~ /\.$/) -> FALSE
(12) if (&User-Name =~ /@\./) {
(12) if (&User-Name =~ /@\./) -> FALSE
(12) } # if (&User-Name) = notfound
(12) } # policy filter_username = notfound
(12) [preprocess] = ok
(12) [chap] = noop
(12) [mschap] = noop
(12) [digest] = noop
(12) suffix: Checking for suffix after "@"
(12) suffix: No '@' in User-Name = "bruno", looking up realm NULL
(12) suffix: No such realm "NULL"
(12) [suffix] = noop
(12) eap: No EAP-Message, not doing EAP
(12) [eap] = noop
(12) files: users: Matched entry bruno at line 221
(12) [files] = ok
(12) [expiration] = noop
(12) [logintime] = noop
(12) [pap] = updated
(12) } # authorize = updated
(12) Found Auth-Type = PAP
(12) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(12) Auth-Type PAP {
(12) pap: Login attempt with password
(12) pap: Comparing with "known good" Cleartext-Password
(12) pap: User authenticated successfully
(12) [pap] = ok
(12) } # Auth-Type PAP = ok
(12) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(12) post-auth {
(12) update {
(12) No attributes updated
(12) } # update = noop
(12) [exec] = noop
(12) policy remove_reply_message_if_eap {
(12) if (&reply:EAP-Message && &reply:Reply-Message) {
(12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(12) else {
(12) [noop] = noop
(12) } # else = noop
(12) } # policy remove_reply_message_if_eap = noop
(12) } # post-auth = noop
(12) Sent Access-Accept Id 52 from 127.0.0.1:1812 to 127.0.0.1:43242 length 0
(12) Tunnel-Type = VLAN
(12) Tunnel-Medium-Type = IEEE-802
(12) Tunnel-Private-Group-Id = "20"
(12) Finished request
Waking up in 4.9 seconds.
(12) Cleaning up request packet ID 52 with timestamp +1987
Ready to process requests
Another user check on the radius server.
spoiler
[email protected]:/home/sysop# radtest bruno boss123 localhost 0 testing123
Sent Access-Request Id 189 from 0.0.0.0:54931 to 127.0.0.1:1812 length 75
User-Name = "bruno"
User-Password = "boss123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "boss123"
Received Access-Accept Id 189 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Sent Access-Request Id 189 from 0.0.0.0:54931 to 127.0.0.1:1812 length 75
User-Name = "bruno"
User-Password = "boss123"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "boss123"
Received Access-Accept Id 189 from 127.0.0.1:1812 to 0.0.0.0:0 length 36
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "20"
Clients.conf settings server radius.
spoiler
… только то что добавил я сам
client SWITCH-01 {
ipaddr = 192.168.2.57
secret = kamisama123
}
client SWITCH-01 {
ipaddr = 192.168.2.57
secret = kamisama123
}
User settings server radius.
spoiler
… только то что добавил я сам
bruno Cleartext-Password := "boss123"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 20
bruno Cleartext-Password := "boss123"
Tunnel-Type = 13,
Tunnel-Medium-Type = 6,
Tunnel-Private-Group-Id = 20
dlink-dgs switch settings (802.1x).
spoiler
# 8021X
enable 802.1x
config 802.1x auth_mode port_based
config 802.1x auth_protocol radius_eap
config 802.1x fwd_pdu system enable
config 802.1x capability ports 1,17-28 none
config 802.1x capability ports 2-16 authenticator
config 802.1x auth_parameter ports 1-28 port_control auto
config 802.1x auth_parameter ports 1-28 direction both quiet_period 60 tx_period 30 supp_timeout 30 server_timeout 30 max_req 2 reauth_period 3600 enable_reauth disable
config radius add 1 192.168.2.1 key kamisama123 auth_port 1812 acct_port 1813 timeout 5 retransmit 2
create 802.1x guest_vlan v10
config 802.1x guest_vlan ports 9,10,11,12,13,14,15,16 state enable
enable 802.1x
config 802.1x auth_mode port_based
config 802.1x auth_protocol radius_eap
config 802.1x fwd_pdu system enable
config 802.1x capability ports 1,17-28 none
config 802.1x capability ports 2-16 authenticator
config 802.1x auth_parameter ports 1-28 port_control auto
config 802.1x auth_parameter ports 1-28 direction both quiet_period 60 tx_period 30 supp_timeout 30 server_timeout 30 max_req 2 reauth_period 3600 enable_reauth disable
config radius add 1 192.168.2.1 key kamisama123 auth_port 1812 acct_port 1813 timeout 5 retransmit 2
create 802.1x guest_vlan v10
config 802.1x guest_vlan ports 9,10,11,12,13,14,15,16 state enable
DGS-1210-28/ME:5# show radius
spoiler
Command: show radius
Index Ip Address Auth-Port Acct-Port Timeout Retransmit Key
(secs)
----- -------------------------- ------- ------- ------- ---------- ------
1 192.168.2.1 1812 1813 5 2 kamisama123
Total Entries : 1
Index Ip Address Auth-Port Acct-Port Timeout Retransmit Key
(secs)
----- -------------------------- ------- ------- ------- ---------- ------
1 192.168.2.1 1812 1813 5 2 kamisama123
Total Entries : 1
DGS-1210-28/ME:5# show vlan
spoiler
Command: show vlan
VID : 1 VLAN NAME : default
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 1,17-28
Tagged Ports :
Untagged Ports : 1,17-28
Forbidden Ports :
VID : 10 VLAN NAME : v10
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 9-16
Tagged Ports :
Untagged Ports : 9-16
Forbidden Ports :
VID : 20 VLAN NAME : v20
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 2-8
Tagged Ports :
Untagged Ports : 2-8
Forbidden Ports :
Total Entries : 3
VID : 1 VLAN NAME : default
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 1,17-28
Tagged Ports :
Untagged Ports : 1,17-28
Forbidden Ports :
VID : 10 VLAN NAME : v10
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 9-16
Tagged Ports :
Untagged Ports : 9-16
Forbidden Ports :
VID : 20 VLAN NAME : v20
VLAN Type : Static
VLAN Advertisement : Disabled
Member Ports : 2-8
Tagged Ports :
Untagged Ports : 2-8
Forbidden Ports :
Total Entries : 3
2 answer(s)
@tamogavk
D
Denis Sechin, 2019-09-23 @tamogavk
Well, you hang up the desired vlan on the port and in the authenticate settings you hang up the guest one, or do you need to cut the moisture depending on the user?
Similar questions
Z
D
H
G
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question