Re: VLAN assigment and Alcatel Omniswitch 7800

This is a multi-part message in MIME format.
--===============1166300060==
Content-Type: multipart/alternative;
boundary="------------010304010903030601070300"

This is a multi-part message in MIME format.
--------------010304010903030601070300
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 8bit

Hello Oxiel,

Are you doing AVLAN or 802.1x?

1. I created a new file - dictionary.alcatel

#
# dictionary.alcatel
#
# Alcatel VSAs
#

VENDOR Alcatel 800

#
# Standard attribute
#
ATTRIBUTE Alcatel-Auth-Group 1 integer Alcatel
ATTRIBUTE Alcatel-Slot-Port 2 string Alcatel
ATTRIBUTE Alcatel-Time-of-Day 3 string Alcatel
ATTRIBUTE Alcatel-Client-IP-Addr 4 ipaddr Alcatel
ATTRIBUTE Alcatel-Group-Desc 5 string Alcatel
ATTRIBUTE Alcatel-Port-Desc 6 string Alcatel

VALUE Acct-Authentic AUTH-AVCLIENT 4
VALUE Acct-Authentic AUTH-TELNET 5
VALUE Acct-Authentic AUTH-HTTP 6

2. For users file

user1 Auth-Type := Local, Password = "user1"
Alcatel-Auth-Group = 3

3. For AVLAN

vlan 3 authentication enable
vlan port mobile 1/1 bpdu ignore enable
vlan port 1/1 authenticate enable
ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3
aaa radius-server rad1 host 192.168.10.211 key radkey
aaa authentication vlan single-mode rad1
aaa accounting vlan rad1
aaa avlan default dhcp 192.168.11.254
aaa avlan dns alcatel
avlan 3 auth-ip 192.168.11.253

4. For 802.1x (Sorry, just from my memory)

vlan 3 802.1x enable
vlan port mobile 1/1 bpdu ignore enable
vlan port 1/1 802.1x enable
ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3
aaa radius-server rad1 host 192.168.10.211 key radkey
aaa authentication 802.1x rad1
aaa accounting 802/1x rad1

Regards,
Santa Yeh

Oxiel Contreras ??:

>Hello Santa.
>
>El Domingo, 11 de Febrero de 2007 22:57, Santa Yeh escribió:
>
>
>>You can not use the standard attributes :
>>
>>Tunnel-Type:0 += VLAN
>>Tunnel-Medium-Type:0 += IEEE-802
>>Tunnel-Private-Group-Id:0 += "3"
>>
>>The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you
>>should check the user manual.
>>
>>
>
>I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these:
>
>ATTRIBUTE Alcatel-Auth-Group 134 integer
>
>and modified users file like these:
>
>Tunnel-Type += 13,
>Tunnel-Medium-Type += 6,
>Alcatel-Auth-Group += 3
>
>now i see the Access-Accept part of the log which is sent it with the
>attribute, but nothing happens.
>
>Sending Access-Accept of id 181 to 192.168.10.20 port 1074
> Tunnel-Type:0 += VLAN
> Tunnel-Medium-Type:0 += IEEE-802
> Alcatel-Auth-Group += 3
> MS-MPPE-Recv-Key =
>0xc90404d5af28944ae97417b2336cf56e204fe5afab5c7c7 e7e50045ec24473b3
> MS-MPPE-Send-Key =
>0xc990b966cc4bed66c7be062e54795ddb253efe28c8426ec bb298d302c64b9359
> EAP-Message = 0x030d0004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = "MYDOMAIN\\jose"
>Finished request 8
>
>Could you please pass me the relevant parts of your switch setup ?
>
>vlan port mobile
>vlan authentication
>aaa
>
>Is it necessary to defina vlan rules on the switch in order to move the mobile
>port to the vlan designed with Alcatel-Auth-Group ?
>
>Thanks and best regards
>
>Oxiel
>Chiacchiera con i tuoi amici in tempo reale!
> http://it.yahoo.com/mail_it/foot/*ht...nger.yahoo.com
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
>


--------------010304010903030601070300
Content-Type: text/html; charset=ISO-8859-15
Content-Transfer-Encoding: 8bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-15"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hello Oxiel,<br>
<br>
Are you doing AVLAN or 802.1x?<br>
<br>
1. I created a new file - dictionary.alcatel<br>
<br>
#<br>
# dictionary.alcatel<br>
#<br>
#Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Alcatel VSAs<br>
#Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* <br>
<br>
VENDORÂ*Â*Â* Â*Â*Â* AlcatelÂ*Â*Â* Â*Â*Â* 800<br>
<br>
#<br>
# Standard attribute<br>
#<br>
ATTRIBUTEÂ*Â*Â* Alcatel-Auth-GroupÂ*Â*Â* 1Â*Â*Â* integerÂ*Â*Â* Â*Â*Â* Alcatel<br>
ATTRIBUTEÂ*Â*Â* Alcatel-Slot-PortÂ*Â*Â* 2Â*Â*Â* stringÂ*Â*Â* Â*Â*Â* Alcatel<br>
ATTRIBUTEÂ*Â*Â* Alcatel-Time-of-DayÂ*Â*Â* 3Â*Â*Â* stringÂ*Â*Â* Â*Â*Â* Alcatel<br>
ATTRIBUTEÂ*Â*Â* Alcatel-Client-IP-AddrÂ*Â*Â* 4Â*Â*Â* ipaddrÂ*Â*Â* Â*Â*Â* Alcatel<br>
ATTRIBUTEÂ*Â*Â* Alcatel-Group-DescÂ*Â*Â* 5Â*Â*Â* stringÂ*Â*Â* Â*Â*Â* Alcatel<br>
ATTRIBUTEÂ*Â*Â* Alcatel-Port-DescÂ*Â*Â* 6Â*Â*Â* stringÂ*Â*Â* Â*Â*Â* Alcatel<br>
<br>
VALUEÂ*Â*Â* Â*Â*Â* Acct-AuthenticÂ*Â*Â* Â*Â*Â* AUTH-AVCLIENTÂ*Â*Â* 4<br>
VALUEÂ*Â*Â* Â*Â*Â* Acct-AuthenticÂ*Â*Â* Â*Â*Â* AUTH-TELNETÂ*Â*Â* 5<br>
VALUEÂ*Â*Â* Â*Â*Â* Acct-AuthenticÂ*Â*Â* Â*Â*Â* AUTH-HTTPÂ*Â*Â* 6 <br>
<br>
2. For users file<br>
<br>
user1 Â*Â* Â*Â*Â* Auth-Type := Local, Password = "user1"<br>
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Alcatel-Auth-Group = 3 <br>
<br>
3. For AVLAN<br>
<br>
vlan 3 authentication enable<br>
vlan port mobile 1/1 bpdu ignore enable<br>
vlan port 1/1 authenticate enable<br>
ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3<br>
aaa radius-server rad1 host 192.168.10.211 key radkey<br>
aaa authentication vlan single-mode rad1<br>
aaa accounting vlan rad1<br>
aaa avlan default dhcp 192.168.11.254<br>
aaa avlan dns alcatel<br>
avlan 3 auth-ip 192.168.11.253<br>
<br>
4. For 802.1x (Sorry, just from my memory)<br>
<br>
vlan 3 802.1x enable<br>
vlan port mobile 1/1 bpdu ignore enable<br>
vlan port 1/1 802.1x enable<br>
ip interface vlan3 address 192.168.11.254 mask 255.255.255.0 vlan 3<br>
aaa radius-server rad1 host 192.168.10.211 key radkey<br>
aaa authentication 802.1x rad1<br>
aaa accounting 802/1x rad1<br>
<br>
Regards,<br>
Santa Yeh<br>
<br>
Oxiel Contreras 提到:
<blockquote cite="mid200702131612.18172.oxielc@yahoo.it" type="cite">
<pre wrap="">Hello Santa.

El Domingo, 11 de Febrero de 2007 22:57, Santa Yeh escribió:
</pre>
<blockquote type="cite">
<pre wrap="">You can not use the standard attributes :

Tunnel-Type:0 += VLAN
Tunnel-Medium-Type:0 += IEEE-802
Tunnel-Private-Group-Id:0 += "3"

The VSA for Alcatel switches is Alcatel-Auth-Group, that is why you
should check the user manual.
</pre>
</blockquote>
<pre wrap=""><!---->
I've added the Alcatel-Auth-Group attribute to dictionary.alcatel like these:

ATTRIBUTE Alcatel-Auth-Group 134 integer

and modified users file like these:

Tunnel-Type += 13,
Tunnel-Medium-Type += 6,
Alcatel-Auth-Group += 3

now i see the Access-Accept part of the log which is sent it with the
attribute, but nothing happens.

Sending Access-Accept of id 181 to 192.168.10.20 port 1074
Tunnel-Type:0 += VLAN
Tunnel-Medium-Type:0 += IEEE-802
Alcatel-Auth-Group += 3
MS-MPPE-Recv-Key =
0xc90404d5af28944ae97417b2336cf56e204fe5afab5c7c7e 7e50045ec24473b3
MS-MPPE-Send-Key =
0xc990b966cc4bed66c7be062e54795ddb253efe28c8426ecb b298d302c64b9359
EAP-Message = 0x030d0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "MYDOMAIN\\jose"
Finished request 8

Could you please pass me the relevant parts of your switch setup ?

vlan port mobile
vlan authentication
aaa

Is it necessary to defina vlan rules on the switch in order to move the mobile
port to the vlan designed with Alcatel-Auth-Group ?

Thanks and best regards

Oxiel
Chiacchiera con i tuoi amici in tempo reale!
<a class="moz-txt-link-freetext" href="http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com">http://it.yahoo.com/mail_it/foot/*http://it.messenger.yahoo.com</a>

-
List info/subscribe/unsubscribe? See <a class="moz-txt-link-freetext" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a>


</pre>
</blockquote>
<br>
</body>
</html>

--------------010304010903030601070300--


--===============1166300060==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--===============1166300060==--