Alan DeKok wrote:
Not true, see HPs Open VLAN feature. The NAS may also request that the supplicant be put into a certain VLAN based on the static VLAN assignment on the port the supplicant is connecting to.lvizcardof@unsa.edu.pe wrote: ...What certificate i shoud use, so that valid the: carlos User-Password == "carlos" Service-Type = Framed-User, Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 2 and if the user carlos access to the vlan 2, he can access, otherwise he doesn't access.RADIUS doesn't work that way. The NAS doesn't tell the server what VLAN the user is in, because the user is NOT in a VLAN until they have been authenticated.
rad_recv: Access-Request packet from host 139.184.9.175 port 1024, id=119, length=306
Framed-MTU = 1480
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Identifier = "xxxxxxxxxxxxxx"
User-Name = "xxx"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 28
NAS-Port-Type = Ethernet
NAS-Port-Id = "28"
Called-Station-Id = "xx-xx-xx-xx-xx-xx"
Calling-Station-Id = "xx-xx-xx-xx-xx-xx""
Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "700"
State = 0x20f6a63dccf5843da5b75a3deaca3c2d
EAP-Message =
Message-Authenticator =
Of course whether the Server decides to honor the NAS's request is
another matter.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting OfficerInfrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900