Dynamic VLAN assignment depending on LDAP user group and MAC address

Alan DeKok aland at deployingradius.com
Sat Oct 12 14:42:25 CEST 2013 

Fabrizio Vecchi wrote:
> First of all, sorry if my email is very long, I am just trying not to
> leave any important details out. :)

  That's good.

> So far, I managed to do the dynamic VLAN assignment, but cannot seem to
> get it to work together with the MAC checking.

  They key thing to remember is that they are two independent pieces.
Get them working independently.  Then, put the pieces together.

> I can get an auth to be refused if the MAC is not listed in the
> authorized_macs file, but can't quite put the two things together.
> Perhaps I am a bit confused with regards to where to put the MAC check.

  Put it into "authorize".

> For now, I just managed to get the check to work only on the
> authorization phase in sites-enabled/default, but then the VLAN
> assignment, which is done in the internal-tunnel, seems to overwrite my
> changes.

  That can be fixed.

> So I tried to put the MAC check in the post-auth section in the default
> file, but the MAC check doesn't seem to ever work.

  Because the "users" file works differently there.

> Here are the relevant config files:

  Which seem to use a reasonable approach.

> As you can see, the device wasn't listed in the file, the authentication
> went fine, saying that the tunnel that I should get has ID 40, but that
> wasn't overwritten by the authorized_macs check...

  I think part of the problem is you're juggling a lot.  You also
mentioned MACs and VLANs... and then halfway through the message "Oh,
there's an inner-tunnel, too".

  Stop with all of your solutions.  Instead, write down exactly what you
have.  Write down what you want to happen in plain English.  Write down
what should happen, and when.  Then, convert it to the configuration.

  Your system is using TTLS.  OK... I'll ignore the question of *why*
you're authenticating unknown MACs.  That seems weird.

  The debug log shows this:

[ttls] Got tunneled reply code 2
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "40"

  Where did that VLAN come from?  Why is it there?  If you don't know,
that's a huge problem.

  Generally, the policies should be arranged like this:

authorize: allow only known kinds of authentication
           decide which authentication method to use
           grab "known good" passwords

authenticate: run authentication methods

post-auth: return attributes for a successfully authenticated user


  In your case, I'd say return to a default configuration.  Then, get
the MAC address filtering working in post-auth.  Once that's working,
add VLAN assignment.

  Alan DeKok.

More information about the Freeradius-Users mailing list