problems with dynamic vlan assignment
Alexander Clouter
alex at digriz.org.uk
Thu Sep 16 00:31:52 CEST 2010
Eric Doutreleau <Eric.Doutreleau at it-sudparis.eu> wrote:
>
> i m using freeradius 2.1.9 and i have some problems with making dynamic
> vlan assignment based on vlan.
>
> here what i have in my users file
>
> DEFAULT User-Category == "student"
> Reply-Message = "Your a member of the student Group",
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 902,
> Fall-Through = No
>
> DEFAULT User-Category == "employee"
> Reply-Message = "Your a member of the employee Group",
> Tunnel-Type = VLAN,
> Tunnel-Medium-Type = IEEE-802,
> Tunnel-Private-Group-Id = 903,
> Fall-Through = No
>
Eugh, do not do this, use the following sort of thing instead:
----
DEFAULT
Tunnel-Type := VLAN,
Tunnel-Medium-Type := IEEE-802,
Tunnel-Private-Group-Id = 901, <---- 'unauthorised'
Fall-Through = Yes
DEFAULT User-Category == "student"
Tunnel-Private-Group-Id = 902 <---- 'student'
DEFAULT User-Category == "employee"
Tunnel-Private-Group-Id = 903 <---- 'employee'
----
> But as you can see in the following debug file my user is authenticated
> his radius item User-Category is employee but he never get the
> attributes of vlan in the request
>
Looks like you need to flip the order of 'files' and 'eap' around as it
is your eap (from the PEAP method) module that sets 'User-Category'
however you are calling 'files' *before* User-Category is set.
Remember that the 'inner-auth' virtual server is a *unique* instance
to your outer layer so 'User-Category' might be defined but only on the
outside whilst it looks like you are calling 'files' *inside*.
Cheers
--
Alexander Clouter
.sigmonster says: Preserve Wildlife! Throw a party today!
More information about the Freeradius-Users
mailing list