Patch for >1 match in hints file

Phil Mayers p.mayers at imperial.ac.uk
Thu Aug 23 10:56:10 CEST 2007


On Thu, 2007-08-23 at 09:24 +0100, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
> 
> > /etc/raddb/eth2name (used in a "passwd" to map Vendor to VendorName):
> > 
> > 00-0c-29:virtual-vmware
> > 00-16-3e:virtual-xen
> > 
> > /etc/raddb/users:
> > 
> > # don't send banned vlan to virtual machines
> > DEFAULT	VendorName =~ "virtual.*", Zone == "banned", Auth-Type := Reject
> > 
> > # real machines get a banned vlan as opposed to rejection
> > DEFAULT	Zone == "banned"
> > 	Tunnel-Medium-Type = IEEE-802,
> > 	Tunnel-Type = VLAN,
> > 	Tunnel-Private-Group-Id = `%{sql:...}`
> 
> forgiveness for naivety, but if the virtual machine is not configured to use 
> the ethernet in bridged mode (ie NAT mode) then you wont see it as a virtual 
> machine(?)

Correct.

There are lots of circumstances where you might want them in bridged
mode though; specifically, we anticipate some users will have >1
supported, managed OS on their desktops - e.g. Managed linux install as
host for their research, managed windows install as a vmware guest for
running things like visio or outlook. NAT mode would hide the windows
box from standard tools e.g. SMS, pslist/psexec and so forth.

Our current switches get very upset if you send >1 vlan tag to them; and
since the only legit use-case we can think of for >1 host on a port is
virtual machines in bridged mode, we adopt the approach above.




More information about the Freeradius-Users mailing list