Dynamic VLAN assignement with Radius authentication

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Dynamic VLAN assignement with Radius authentication

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Dynamic VLAN assignement with Radius authentication
Dynamic VLAN assignement with Radius authentication
2023-06-20 19:44:09 - last edited 2023-11-06 03:51:36
Tags: #Dynamic VLAN
Hardware Version:
Firmware Version: 5.9.9

Hi everyone,


I have a small network of twenty something clients, spread evenly between wired and wireless connection. Switch is TL-SG2008P v3.0  and EAP is EAP653(EU) v1.0 both adopted by a software based controler (ver. 5.9.9 at the time this is posted). Some other brands managed switches are daisy chained to the TL-SG2008P on some ports. Router is pfsense, which manages DHCP, VLANS and rules.

 

Four VLANs are configured, for managing the network and access segregation.

 

In a first setup, each wired client is assigned a VLAN though either the TL-SG2008P or a managed switch. Four SSIDs are created, each being assigned a VLAN.

Everything works perfectly.

 

However, i do not like having multiple SSIDs, which i find inelegant, and difficult to explain to users.

 

I guessed that some form of Dynamic VLAN attribution would be ideal. After some research, i learned about Radius authentication and 802.1x.

 

In a second setup, a Freeradius server is created within the router (pfsense), each switch and EAP is identified as a client to the Freeradius server,. The switches are configured with 802.1x.  The EAP is configured to emit only one SSID with Radius identification and dynamic VLAN assignement.

 

Identification works flawlessly for each user created within the Freeradius server. However, there is an issue with VLAN assignement.

Despite each user being assigned a VLAN within freeradius, the VLAN are not queried either by the switch nor by the EAP when requesting an IP adress. I can monitor both the request for authentication and the response by the Freeradius server. Users are authenticated upon request, and the response comprises the VLAN to be assigned to the user.

 

However the DHCP request emitted by the EAP or the switch is lacking any VLAN information.

 

More precisely, in the first setup, all DHCP requests are formated with VLAN information appended :

DHCPREQUEST for 10.0.50.80 from f0:cb:30:cc:84:3c via igb0.50

 

In the second setup, all DHCP requests are formated without any VLAN information :

DHCPDISCOVER from f0:cb:30:cc:84:3c via igb0

then

DHCPOFFER on 10.0.0.114 to f0:cb:30:cc:84:3c via igb0

 

No matter what setting i alter, there is no VLAN information added to the DHCP request in the second setup.

 

In a third setp, i tried a MAC-based identification applied to any of the SSIDs from the first setup.

The same Freeradius server is unable to authenticate the users who were previously authenticated.

 

The Freeradius message is :

Login incorrect (Failed retrieving values required to evaluate condition): [f0:cb:30:cc:84:3c] (from client OmadaEAP port 1 cli F0-Cb-30-CC-84-3C)

 

In this latter case, it doesnt matter how i format the MAC adress in either the Freeradius server or in the Omada EAP setting, there is never a match.

 

I understand that neither setup being purely Omada or Tp-link based can be a reason enough to turn this post down. However, after some research on different sites and on Reddit, i found several users reporting similar issues, begining circa when Radius authentication has been added.

 

tl,dr: i can not obtain dynamic vlan assignment either with wired or wireless client autheticated by a Radius server while having confirmed that said Radius server does communicate with the switch and EAP and authenticate users.

 

Is there an obvious reason for this behaviour or any of you got a hint why it doesnt work as intended. I can provide more information if needed.

 

Note : the MAC address used in the examples has been edited for this post.

 

Note2 : I tried unadopting Omada switch and EAP and configuring them through their GUI. The result was inconclusive.

 

  1      
  1      
#1
Options
2 Accepted Solutions
Re:Dynamic VLAN assignement with Radius authentication-Solution
2023-11-04 09:51:37 - last edited 2023-11-06 03:51:36

  @Holl595 

 

Hi,

The issue was solved in response to another of my posts : https://community.tp-link.com/en/business/forum/topic/616964?replyId=1257162

 

The trick is to enable a tunneled response from the radius server, either the built-in radius server in Omada or a standalone radius server.

 

With that setting, i have been able to achieve both authentication and dynamic vlan assignment.

 

I hope that it will help you. Don't hesitate to ask if you need more information

Recommended Solution
  0  
  0  
#5
Options
Re:Dynamic VLAN assignement with Radius authentication-Solution
2023-11-04 12:15:20 - last edited 2023-11-06 03:51:40

  @Yttra 

 

Thanks for taking the time to get back to me. 
 

I managed to get this working with freeradius in pfsense without the config you added. 
 

I have added a default user with the default vlan and anything that isn't in the Mac list gets assigned that. 

Recommended Solution
  0  
  0  
#6
Options
5 Reply
Re:Dynamic VLAN assignement with Radius authentication
2023-06-22 19:35:39

  @Yttra 

 

AFAIK, it's pretty basic in TPlink land....there is simply a 1:1 mapping between SSID and optional VLAN, not between user and VLAN.

 

So the config is limited to SSID + Optional VLAN tagging in the device.  That's why you only see the .50 suffix in the DHCP negot when you have configured an SSID + VLAN=50 mapping.

<< Paying it forward, one juicy problem at a time... >>
  0  
  0  
#2
Options
Re:Dynamic VLAN assignement with Radius authentication
2023-09-22 08:16:11

  @Yttra I got Freeradius and dynamic VLAN Assignment working for WiFi Clients.

 

I had to modify the inner-tunnel. Have a closer look to the "update" section.

Section:

post-auth:

if (1) {
                #
                #  These attributes are for the inner-tunnel only,
                #  and MUST NOT be copied to the outer reply.
                #
                update reply {
                        User-Name !* ANY
                        Message-Authenticator !* ANY
                        EAP-Message !* ANY
                        Proxy-State !* ANY
                        MS-MPPE-Encryption-Types !* ANY
                        MS-MPPE-Encryption-Policy !* ANY
                        MS-MPPE-Send-Key !* ANY
                        MS-MPPE-Recv-Key !* ANY
                }
                update {
                        &outer.session-state:Tunnel-Type := Tunnel-Type[*]
                        &outer.session-state:Tunnel-Medium-Type := Tunnel-Medium-Type[*]
                        &outer.session-state:Tunnel-Private-Group-Id := Tunnel-Private-Group-Id[*]
                        &outer.session-state:User-Name := User-Name[*]
                        &outer.session-state: += &reply:
                }
        }

 

Omada Controller Linux 5.14.26.1 TL-SG2008 v3.0 - 3.0.9 EAP653(EU) v1.0 - 1.0.14 EAP650-Outdoor(EU)v1.0 - 1.1.4 EAP610-Outdoor(EU) v1.0 - 1.2.5 EAP615-Wall(EU) v1.0 - 1.2.4
  0  
  0  
#3
Options
Re:Dynamic VLAN assignement with Radius authentication
2023-11-04 08:49:28

  @MatthiasL22 

 

Are you able to provide a little more clarification on the steps needed to get radius based VLANs working?

 

I have tried adding the config to post-auth and an now getting a Rejected in post-auth message in the logs. 

  0  
  0  
#4
Options
Re:Dynamic VLAN assignement with Radius authentication-Solution
2023-11-04 09:51:37 - last edited 2023-11-06 03:51:36

  @Holl595 

 

Hi,

The issue was solved in response to another of my posts : https://community.tp-link.com/en/business/forum/topic/616964?replyId=1257162

 

The trick is to enable a tunneled response from the radius server, either the built-in radius server in Omada or a standalone radius server.

 

With that setting, i have been able to achieve both authentication and dynamic vlan assignment.

 

I hope that it will help you. Don't hesitate to ask if you need more information

Recommended Solution
  0  
  0  
#5
Options
Re:Dynamic VLAN assignement with Radius authentication-Solution
2023-11-04 12:15:20 - last edited 2023-11-06 03:51:40

  @Yttra 

 

Thanks for taking the time to get back to me. 
 

I managed to get this working with freeradius in pfsense without the config you added. 
 

I have added a default user with the default vlan and anything that isn't in the Mac list gets assigned that. 

Recommended Solution
  0  
  0  
#6
Options