Using freeradius and 802.1x for dynamic VLAN

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Tue Oct 16 18:04:43 CEST 2007


Alan DeKok wrote:
> lvizcardof at unsa.edu.pe wrote:
> ...
>   
>> What certificate i shoud use, so that valid the:
>> carlos     User-Password == "carlos"
>>          Service-Type = Framed-User,
>>          Tunnel-Type = VLAN,
>>          Tunnel-Medium-Type = IEEE-802,
>>          Tunnel-Private-Group-Id = 2
>>
>> and if the user carlos access to the vlan 2, he can access, otherwise he
>> doesn't access.
>>     
>
>   RADIUS doesn't work that way.  The NAS doesn't tell the server what
> VLAN the user is in, because the user is NOT in a VLAN until they have
> been authenticated.
>   
Not true, see HPs Open VLAN feature. The NAS may also request that the 
supplicant be put into a certain VLAN based on the static VLAN 
assignment on the port the supplicant is connecting to.

rad_recv: Access-Request packet from host 139.184.9.175 port 1024, 
id=119, length=306
        Framed-MTU = 1480
        NAS-IP-Address = xxx.xxx.xxx.xxx
        NAS-Identifier = "xxxxxxxxxxxxxx"
        User-Name = "xxx"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 28
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "28"
        Called-Station-Id = "xx-xx-xx-xx-xx-xx"
        Calling-Station-Id = "xx-xx-xx-xx-xx-xx""
        Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "700"
        State = 0x20f6a63dccf5843da5b75a3deaca3c2d
        EAP-Message =
        Message-Authenticator =

Of course whether the Server decides to honor the NAS's request is 
another matter.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>   
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08 
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900




More information about the Freeradius-Users mailing list