Assign VLAN from freeradius to Cisco 3550 switch.

Wassim Zaarour wassim.zaarour at
Wed Apr 25 18:05:26 CEST 2012

Hi Brian,

Thanks for your reply, where do I exactly need to put this configuration?
In the users file?

Do you have any experience with the 2960 switches?


On 4/25/12 4:07 PM, "Brian Julin" <BJulin at> wrote:

>Wassim Zaarour wrote:
>> Look at this
>> The user says that it worked, I tried the attributes he used and still
>> the same error.
>I don't even know how this was ever working for that user.  On my wired
>switch plant, which
>includes some 3550s, wherever I have tested VLAN assignment I have had to
>use Cisco's
>cretinous hack:
> if (Cisco-AVPair) { # Cisco switch.
>              # We have to "Accept" it to the Registration VLAN manually
>              # (because host-mode multi-auth is currently retarded.)
>              update reply {
>                Tunnel-Type = VLAN
>                Tunnel-Medium-Type = 6
>                # CISCO broke the IETF attribute...
>                # Tunnel-Private-Group-Id = "Registration"
>                # ... so use their proprietary method to get it in there.
>                # NOTE: This is CaSe SeNsItIvE!!
>                Cisco-AVPair += "tunnel-private-group-id=Registration"
>              }
>This is of course extremely case-sensitive.  It also uses the vlan names,
>not the numbers, though
>you can use the automatically generated names just fine.
>Be warned the 3550s are old EOL switches and their latest software
>version (the one that is only
>supposed to be used for the 24 port switch but works on the 48 port one)
>is still not current enough
>to pick up the latest bugfixes to multi-auth mode.  Not that multi-auth
>mode works sensibly in the
>newest firmware either, but at least it has workarounds.
>(BTW, even I am starting to pull these 3550s from the net, and I tend to
>try to bleed devices for every
>minute they can manage to hack it.  Right now the only ones I have out
>there are essentially
>serving as lightening rods for this summer's thunder storms, and then
>will be replaced by new
>switches after that.)
>Typical switch port configuration (this is not from a 3550, sorry):
>interface FastEthernet0/24
> switchport access vlan XXX
> switchport mode access
> switchport block unicast
> switchport port-security maximum 16
> switchport port-security
> switchport port-security aging time 240
> switchport port-security violation restrict
> switchport port-security aging type inactivity
> ip arp inspection limit rate 100
> authentication control-direction in
> authentication event fail action authorize vlan YYY
> authentication event server dead action authorize vlan XXX
> authentication event no-response action authorize vlan XXX
> authentication event server alive action reinitialize
> authentication host-mode multi-auth
> authentication order mab
> authentication priority mab
> authentication port-control auto
> authentication periodic
> authentication timer reauthenticate 1300
> authentication timer inactivity 1200
> authentication violation restrict
> mab      
> no lldp transmit
> no lldp receive
> no cdp enable
> no cdp tlv server-location
> no cdp tlv app
> spanning-tree portfast
> spanning-tree bpduguard enable
> ip verify source port-security
> ip dhcp snooping limit rate 50
>XXX and YYY above are actually decimals.
>Note that the auth-fail VLAN setting is not actually used, because in
>order to get multi-auth to behave
>sensibly (so you can handle VMs) you have to actually succeed every
>authentication and just send
>the  quaranteen VLAN from RADIUS when you want the user locked out.
>List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list