vlan and freeradius

omega bk omegabk at gmail.com
Wed Mar 3 16:01:41 CET 2010 

2) " set the switch to use RADIUS return attributes for VLAN (and for
session time etc)
and set the fail VLAN and guest VLAN to Y"  => that's really what i want to
do so in my users file

myuser       Cleartext-Password := "user"
                   Tunnel-type = VLAN,
                   Tunnel-Medium-Type = 802,
                   Tunnel-Private-Group-ID = "666"
                   Session-Timeout = "28800"
                   Termination-Action = "RADIUS-Request"

but how to set the fail VLAN and guest VLAN to Y ???

many thanks

PS: "you should never use VLAN1 for users - most would say you shouldnt use
VLAN1
for anything on cisco kit - its the default native vlan." => sure!!!


2010/3/3 Alan Buxey <A.L.M.Buxey at lboro.ac.uk>

> Hi,
> > Hello,
> >
> > so i would like to redirect my winxp authenticated to VLAN1 and if not
> authenticated , this client must be in vlan2
> >
> > i got a switch cisco
> >
> > so how to handla this with freeradius?
>
>
> read the cisco docs on dealing with 802.1X.
>
> you should never use VLAN1 for users - most would say you shouldnt use
> VLAN1
> for anything on cisco kit - its the default native vlan.
>
>
> what you need to do is set the port on the switch to do 802.1X...then you
> can either
> do the following
>
>
> 1) set the access vlan to X, then se the fail VLAN to Y and the guest VLAN
> to Y
>
> or (my preferred way)
>
> 2) set the switch to use RADIUS return attributes for VLAN (and for session
> time etc)
> and set the fail VLAN and guest VLAN to Y
>
>
> where X is the access vlan for auth and Y is the chosen fail vlan
>
>
> why do method 2? well, its then easy/quick to change the VLAN returned to
> the switch
> no matter where on campus/site/infrastructure - its all done via decisions
> made
> on the radius server.
>
>
> the return attributeS?
>
>
> 'Tunnel-Medium-Type'} = "IEEE-802"
> 'Tunnel-Type' = "VLAN"
> 'Tunnel-Private-Group-Id' = "666"
> 'Session-Timeout' = "28800"
> 'Termination-Action' = "RADIUS-Request"
>
> that would set the VLAN to be 666 with an 8 hour timeout.
>
> these can be set via users file, SQL, perl, python etc. we use a PERL
> script in the post-auth section
>
>
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100303/da2bc04e/attachment.html>

More information about the Freeradius-Users mailing list