Dynamic VLAN assignment depending on LDAP user group and MAC address

Alan DeKok aland at deployingradius.com
Sun Oct 13 03:51:00 CEST 2013


Fabrizio Vecchi wrote:
> I guess at the end of the day my question boils down to the following:
> where should I put the MAC check, so that the user gets assigned to the
> right VLAN?

  In post-auth.

> If I put it in the authorize part of sites-enabled/default, the VLAN
> update request will get overwritten by the post-auth part of
> sites-enabled/inner-tunnel;

  The default configuration for the inner-tunnel does *not* set a VLAN
in post-auth.  So one configuration you added prevents you from using
another configuration you added.

> and if I put it in the post-auth of the file
> sites-enabled/default file (which gets executed after inner-tunnel), the
> authorized_macs function always returns noop.

  Delete the "set VLAN" stuff from the post-auth of the inner tunnel.
As you've seen, it breaks the other configuration you're trying to use.

  When you put "authorized_macs" into the "post-auth", it runs the
"post-auth" processing.  Which doesn't read the "users" file... as the
"users" file is done only in the "authorize" section.

  You should be able to put "authorized_macs.authorize" in the post-auth
section.  That will make it process the "users" file, and do what you want.

  Alan DeKok.


More information about the Freeradius-Users mailing list