Assigning users into different VLANs

Martin Hrabovský mhx147 at gmail.com
Wed Jul 9 09:57:05 CEST 2014 

I read man unlang but to be honest I din't find it really useful for me.

However in "users" I found that DEFAULT or Fall-Through could be used if I
have no entry for username.
What I need to do is autetificate everyone.
I have couple of users as user "admin" and for that users I creat entries
like this one:

"admin" Cleartext-Password := "admin"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Tunnel-Private-Group-Id = 53,
    Tunnel-Preference = 0x000000

Then all other users I need to place into VLAN 54. So at the end of file I
thought entry like this could be ok to pass absolutely everyone:

"DEFAULT"
    Tunnel-Type = VLAN,
    Tunnel-Medium-Type = IEEE-802,
    Fall-Through = Yes,                                #tried with/without
    Tunnel-Private-Group-Id = 54,
    Tunnel-Preference = 0x000000

But this and all others I tried didn't work.

Wireless network is [WPA/TKIP + WPA2/AES][Auth(802.1X)].

Have you any dvice how to fix it?




2014-07-02 10:11 GMT+02:00 <A.L.M.Buxey at lboro.ac.uk>:

> Hi,
>
> >    I am using FreeRADIUS together with WLC from Cisco.
> >    I have 1 WLAN connected to 2 VLANs and I need to assign user into VLAN
> >    based on successful pass AAA or not. By that I mean to separate
> guests and
> >    members.
> >    How can I achieve that?
> >    For now I am using "users" as source of members.
> >    I came up wtih this
> >    "admin"  Cleartext-Password := "admin"
> >        Tunnel-Type = VLAN,
> >        Tunnel-Medium-Type = IEEE-802,
> >        Tunnel-Private-Group-Id = 52,
> >        Tunnel-Preference = 0x000000
> >    to assign member into VLAN 52 but I strugle with assigning VLAN for
> user
> >    without certificate or password (I need two variants based on
> certificate
> >    and PEAP, two different servers).
>
> well, using the RADIUS attributes, which you have done, is the way to do
> it.
> how you do it with your users is down to your policies. you'll probably
> end up
>  using unlang in the post-auth phase  (man unlang)
>
> however, if this is an EAP/802.1X wireless network you cant do much if
> they fail.
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Martin Hrabovský
5ZP031
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140709/66a56c6b/attachment-0001.html>

More information about the Freeradius-Users mailing list