Assigning users into different VLANs

Herwin Weststrate herwin at quarantainenet.nl
Thu Jul 10 13:29:09 CEST 2014


On 10-07-14 12:18, Martin Hrabovský wrote:
> That's it! I need to log in even if I don' know user name nor password.
> 
> According documentation I should use DEFAULT.
> "A cpecial user named "DEFAULT" matches on all usernames." - this is
> stated in "users" file.
> 
> And why I want use "DEFAULT"? To move everyone who has no entry in users
> file (so in this case everyone except mhx) into VLAN 52.

Then you need some more logic in the authorize section. The user does
match (line 749 of Debug: [files] users: Matched entry DEFAULT at line
6), but then all the authentication types require a password before the
user can be authenticated (see lines 762-767).

You need a bit more logic in the inner-tunnel virtual server. Writing
from memory, change the first line of the user DEFAULT to:

  "DEFAULT" Auth-Type := Accept


A few more things you want to consider:

- Remove the "files" statement from authorize in sites-enabled/default,
this may overwrite the reply with the VLAN attributes for the outer
username.
- Put the DEFAULT user at the end of the file. Otherwise, the user mhx
will also match DEFAULT and get the Auth-Type Accept.

-- 
Herwin Weststrate



More information about the Freeradius-Users mailing list