ldap filter depending on NAS
tnt at kalik.net
tnt at kalik.net
Thu Apr 23 11:35:30 CEST 2009
> And finally, can you say that when a dumb users plugs in the wrong VLAN,
> like a admin VLAN, I cannot deny him or put him automatically in the
> right VLAN with radius?
>
If he can plug into a switch and get access to admin VLAN it's network
admin that is dumb, not the user. If your switch supports dynamic VLAN
assignment via radius and you are using port authentication it shouldn't
be possible (if your switch doesn't support this - this talk is
pointless).
1. Why is default VLAN (1) enabled on your ports? You are just asking foir
trouble doing that.
2. User can't just "plug into the admin VLAN". If admin unplugs, even
without logging off, switch should terminate the session and return the
port to default state.
3. If your switch supports dynamic VLAN assignment via radius it should
respect VLAN info sent in Access-Accept. If your user ends up in a
different VLAN you have set your switch wrongly. In many cases you can't
send arbitrary VLAN id - it has to be defined on the switch already. You
should consult your switch documentation about proper VLAN setup.
It seems that you don't understand how switch and port based
authentication works. There is no point in checking VLAN info in the
request. Just send VLAN info in the reply - it will (if hardware is set up
properly) override it.
Ivan Kalik
Kalik Inf
More information about the Freeradius-Users
mailing list