2

I'm using FreeRadius with a Ubitquiti WiFi AP with 802.1x auth using EAP-TLS (mutual client/server cert based auth). This is working well for static VLANs (i.e. specified on the AP).

I'd like to offload the VLAN assignment to Radius so that different users can be assigned to different VLANs.

I am not sure how to do this using EAP-TLS. All docs I've found online use the users file but are using other EAP methods.

So for, I've put this at the top of my /etc/freeradius/users file:

DEFAULT        Tunnel-Medium-Type = 6
               Tunnel-Private-Group-ID = [12],
               Tunnel-Type = VLAN

However no VLAN is assigned by Radius.

I'm not sure where to go from here. Perhaps I need something inside the tls section of /etc/freeradius/eap.conf to tell it to use the users file?

Help is appreciated, thanks!

user397220
  • 71
  • 1
  • 6
  • 1
    Your users file entry is malformed. Shouldn't be anything on the first line, and there's no need for square brackets around the 12, not sure where you got that from. – Arran Cudbard-Bell Jan 26 '17 at 22:47

1 Answers1

4

I managed to get this sorted. The solution was that the first line should be a "Check", then the remaining lines are replied.

This worked for me:

DEFAULT NAS-Port-Type == Wireless-802.11
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = "12"
user397220
  • 71
  • 1
  • 6