Multiple VLAN value per user
Jason Ackley
jason at ackley.net
Wed Oct 25 17:23:39 CEST 2017
On Wed, Oct 25, 2017 at 8:44 AM, Germán Espinoza Tuesta
<gr._et at hotmail.com> wrote:
> Most of dynamic VLAN assignment implementations use these RADIUS attributes to work:
>
> Tunnel-Medium-Type = 6, #IEEE-802
>
> Tunnel-Private-Group-Id = "100"
>
> Is there a way for freeradius to return multiple values in Tunnel-Private-Group-Id.
>
> I'm working in a project where I want a user to belong to multiple vlans. At the moment, working with a sql database.
This really depends more on what your specific NASes/clients can do
than if FreeRADIUS can return multiple attribute-value-pairs.
Since Tunnel-Private-Group-Id is a string - some device vendors
support a syntax in the returned string that allows for
tagging/multiple VLANs.
An example for a Foundry/Brocade/Ruckus ICX/Arris is something like this:
Tunnel-Private-Group-Id = "t:101;t:102;t:103;t:555;t:workstations"
This will cause the port to be tagged in VLANs 101, 102, 103, 555, and
whatever the VLAN named 'workstations' is on the switch (which can
differ in 802.1q tag value per switch that authenticates).
What vendor/NAS devices are you using? Have you checked with the
vendor to determine what attribute-value-pairs they are expecting and
if they support a tagging syntax? I have not seen much consistency in
this area with other vendors - it seems most just stop at implementing
the basics of 'We support dynamic VLAN via RADIUS' by allowing you to
specify a VLAN ID for untagged traffic.
--
jason
More information about the Freeradius-Users
mailing list