Hash username or mac address to assign user to different vlan

[schilling]

what's your biggest subnet for the wireless? How do you deal with
excessive broadcast protocols?

Thanks,

Schilling

On Fri, Feb 18, 2011 at 9:26 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 18/02/11 14:16, Dean, Barry wrote:
>>
>> I have been asked to do just this and I am working on the solution
>> now.
>>
>> We wanted to use multiple pools of VLANs/Subnets and assign "Staff"
>> to one pool and "Students"# to the other. Then to select a VLAN
>> within the pool, use a hashing function and select a VLAN.
>>
>> One concern I have is when is post-auth called? Would it get called
>> for interim authentication requests? Because I don't want to be
>> changing the VLAN mid sessions, which could potentially happen with a
>> non-deterministic hash!
>
> There is no such thing as an "interim" authentication request.
>
> Post-auth is called after every auth.
>
> I suspect you are referring to feature(s) on the switch(es) you use where it
> will "re-auth" the client after X minutes. That's just another, separate
> authentication as far as FreeRadius is concerned.
>
>>
>> In my tests I have been creating a hash from the 'State' attribute
>
> That's a very bad idea. It will change mid-session and cause you huge
> problems.
>
> We do pervasive VLAN assignment on a large scale here, and my advice is the
> same as others in the thread - don't use a hash value. Just map a user or
> group to a vlan.
>
> If you need to "balance the numbers of users on a vlan" (why?) then you
> should log the vlan assignments to SQL and run a post-processing script that
> changes the assignment to keep the "load balanced".
>
> Personally we just run big subnets to reduce the waste of IP space and
> configuration overhead.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>