VMPS fallback vlan
Walter Gould
gouldwp at auburn.edu
Fri Feb 10 21:45:43 CET 2012
On 02/09/2012 11:40 AM, Phil Mayers wrote:
> On 09/02/12 15:49, Walter Gould wrote:
>> All,
>>
>> I have FR vmps configured to query postgresql for a mac address and
>> return the vlan that is assigned to it. That is working well. However, I
>> would like to configure vmps to return a "fallback" or guest vlan for
>> cases when a mac address is not in the database.
>>
>> Can anyone give me some suggestions or config examples?
>
> This depends entirely on how you are settings the VLAN for "known"
> users. If you can show the config you are using, I can be more
> specific, but basically you check for the "not found" state, or check
> for the "reply vlan not set" state.
>
> For example:
>
> vmps {
> ...
> sql
> if (notfound) {
> update reply {
> VMPS-... = ...
> }
> }
> ...
> }
>
> Possibly the most general thing is:
>
> vmps {
> ...
> sql
> ...
> if (!reply:VMPS-VLAN-Name) {
> update reply {
> VMPS-VLAN-Name = GUEST
> }
> }
> }
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
Phil,
Thanks for your reply. I tried what you mentioned above, but cannot
seem to get it to work. Below is my vmps file and debug output. Any
suggestions will be appreciated.
Thanks,
Walter
vmps {
#
# Some requests may not have a MAC address. Try to
# create one using other attributes.
if (!VMPS-Mac) {
if (VMPS-Ethernet-Frame =~
/0x.{12}(..)(..)(..)(..)(..)(..).*/) {
update request {
VMPS-Mac =
"%{1}:%{2}:%{3}:%{4}:%{5}:%{6}"
}
}
else {
update request {
VMPS-Mac = "%{VMPS-Cookie}"
}
}
}
# Do a simple mapping of MAC to VLAN.
#
# See radiusd.conf for the definition of the "mac2vlan"
# module.
#
mac2vlan
# required VMPS reply attributes
update reply {
VMPS-Packet-Type = VMPS-Join-Response
VMPS-Cookie = "%{VMPS-Mac}"
#
# If you have VLAN's in a database, you can select
# the VLAN name based on the MAC address.
#
VMPS-VLAN-Name = "%{sql:select vlan from users
where mac='%{VMPS-Mac}'}"
}
if (!reply:VMPS-VLAN-Name) {
update reply {
VMPS-VLAN-Name = "Guests"
}
}
# correct reply packet type for reconfirmation requests
#
if (VMPS-Packet-Type == VMPS-Reconfirm-Request){
update reply {
VMPS-Packet-Type := VMPS-Reconfirm-Response
}
}
linelog
}
# Proxying of VMPS requests is NOT supported.
}
Here's the debug:
VMPS-Packet-Type = VMPS-Join-Request
VMPS-Error-Code = VMPS-No-Error
VMPS-Sequence-Number = 2449
VMPS-Client-IP-Address = switch_ip
VMPS-Port-Name = "Gi1/0/12"
VMPS-VLAN-Name = "--NONE--"
VMPS-Domain-Name = "gangsta"
VMPS-Unknown = 0x00
VMPS-MAC = d4:be:d9:12:20:6c
server vmps {
Doing VMPS
+- entering group vmps {...}
++? if (!VMPS-Mac)
? Evaluating !(VMPS-Mac) -> FALSE
++? if (!VMPS-Mac) -> FALSE
++[mac2vlan] returns notfound
expand: %{VMPS-Mac} -> d4:be:d9:12:20:6c
sql_xlat
expand: %{User-Name} ->
sql_set_user escaped user --> ''
expand: select vlan from users where mac='%{VMPS-Mac}' ->
select vlan from users where mac='d4:be:d9:12:20:6c'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
SQL query did not return any results
rlm_sql (sql): Released sql socket id: 4
expand: %{sql:select vlan from users where mac='%{VMPS-Mac}'} ->
++[reply] returns notfound
++? if (!reply:VMPS-VLAN-Name)
? Evaluating !(reply:VMPS-VLAN-Name) -> FALSE
++? if (!reply:VMPS-VLAN-Name) -> FALSE
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request)
? Evaluating (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
++? if (VMPS-Packet-Type == VMPS-Reconfirm-Request) -> FALSE
[linelog] expand: %S %{VMPS-Mac} %{reply:VMPS-VLAN-Name}
%{VMPS-Client-IP-Address} %{VMPS-Port-Name} -> 2012-02-10 14:41:01
d4:be:d9:12:20:6c switch_ip Gi1/0/12
++[linelog] returns ok
Done VMPS
} # server vmps
VMPS-VLAN-Name = ""
VMPS-Cookie = d4:be:d9:12:20:6c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 2449 with timestamp +123
Ready to process requests.
More information about the Freeradius-Users
mailing list