This topic contains 6 replies, has 3 voices, and was last updated by 
Luciano Di Francesco 9 months, 1 week ago.
-
Posts
-
Hi, first of all happy new year !!
Anybody know if it’s possible to set the TAG field to 0 in all tunnel attributes (64, 65 and 81 ) ? Seems ZS set this value to 1 , and with new cisco switches( Sx-300 series) the dynamic vlan asssignment not works….I think this behavior is determined by free-radius , but I don’t know if is possible to change it and how…
cheersI confirm that I have the same behavior. I’m looking to find a way to force ZS to use tag 0 instead. I don’t know what to do.
I see that the version of radiusd on the lastest of ZS (2.0.RC2) is FreeRadius 2.1.10 built in dec 2010.
So I wonder (and I assume) that this is why my Cisco switch does not accept the port, even though the authentication is valid.
On the Cisco cli, I receive this message :
“Invalide attribute 64 ignored – tag should be 0 aggregated (1)
MAC XX was rejected on port XX because Radius accept message does not contain VLAN ID, aggregated (1)”So I feel the presence of this tag prevents the SW for reading the VLAN ID… ?
Or Am I going in the wrong direction when trying to solve this tag problem and should look elsewhere?
I wrote to Fulvio , and he told me that in the next release, probably this behavior will be fixed…:)
The issue was found also with TekRadius here…Cisco ACS allows , by a drop-down menu, to set the TAG field in the radius IETF attributes…
Btw , I found a workaround, sure “dirty”… a lot !!, … I copied /usr/local/share/freeradius/* in /Database/usr/local/share/freeradius/, then I edited /Database/usr/local/share/freeradius/dictionary.rfc2868 by removing “has_tag” to the attributes 64,65 and 81 as followsATTRIBUTE Tunnel-Type 64 integer
ATTRIBUTE Tunnel-Medium-Type 65 integer
ATTRIBUTE Tunnel-Client-Endpoint 66 string has_tag
ATTRIBUTE Tunnel-Server-Endpoint 67 string has_tag
ATTRIBUTE Tunnel-Password 69 string has_tag,encrypt=2
ATTRIBUTE Tunnel-Private-Group-Id 81 stringgiven a mount–bind “/Database/usr/local/share/freeradius” “/usr/local/share/freeradius”, restarted the radius-server. The dynamic vlan assignment is ok with the cisco SF-308 as well as with the catalyst 2960. Also added mount–bind “/Database/usr/local/share/freeradius” “/usr/local/shar/freeradius” in pre-boot, and after reboot, authentication is always ok . I do not know how much is this correct, but it seems that functions, and so far I have not encountered problems … so far!
greetingsWow thank you very much for your answer, very complete. It’s incredible that you remember well all these details. I’m gonna try that right after buying an ice-cream and post a feedback here.
It works wonderfully thank you very much again!!! 😀
Now I’ve got to change a little bit the way ZS starts, because I wanted a LiveCD + config on a USB Key or hard drive, but I guess I’ll just copy the folder in one partition on the hard drive and try to mount it at startup (as you detailled).
Ciao redfive,
Let me capture this old topic as I am having the same issue with ZS Radius attributes and Cisco switches SG300 series:20-Sep-2018 11:54:51 %AAAEAP-W-RADIUSREPLY: Invalid attribute 65 ignored – tag should be 0
20-Sep-2018 11:54:51 %AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored – tag should be 0
20-Sep-2018 11:54:51 %AAAEAP-W-RADIUSREPLY: Invalid attribute 64 ignored – tag should be 0, aggregated (10)I found the FreeRadius folder path as you indicated :
cd /usr/local/share/freeradius/
But in my current Zeroshell version ( 3.8.0 ) the path where you copied the freeradius files doesn’t exist :
cd /Database/usr/local/share/freeradius/
bash: cd: /Database/usr/local/share/freeradius/: No such file or directory…even under the DB profiles
A couple of stupid questions 🙂
– Should I create that new path and mount it as you explained ?
– Did u try to edit the original Freeradius files ?Ciao e grazie mille
Saluti
Luciano
You must be logged in to reply to this topic.