Multiple VLAN value per user
Germán Espinoza Tuesta
gr._et at hotmail.com
Wed Oct 25 18:50:54 CEST 2017
I need users registered in RADIUS database (sql or ldap) to be assigned to multiple vlans in a Software Defined Network. Upon receiving vlan values from RADIUS, hostapd needs to forward those values to an OpenFlow controller. I think this is beyond freeradius, thanks for your feedback.
De: Freeradius-Users <freeradius-users-bounces+gr._et=hotmail.com at lists.freeradius.org> en nombre de Alan Buxey <alan.buxey at gmail.com>
Enviado: miércoles, 25 de octubre de 2017 16:24
Para: FreeRadius users mailing list
Asunto: Re: Multiple VLAN value per user
Well, the value returned can be anything , it's all down to what the NAS
supports. What is hostapd going to do if returned multiple vlan tags or a
string, what are you trying to achieve?
On 25 Oct 2017 4:44 pm, "Germán Espinoza Tuesta" <gr._et at hotmail.com> wrote:
> Thanks for feedback, I'm working with open source software (hostapd
> installed in OpenWRT). Hardware: Wireless access point TPLink WDR3600
> Considering Tunnel-Private-Group-Id is a string, I may be able to modify
> hostapd source code to receive a syntax like the one you pointed:
> Tunnel-Private-Group-Id = "t:101;t:102;t:103;t:555"
> Best regards,
> Germán Espinoza
> > On Oct 25, 2017, at 10:23, Jason Ackley <jason at ackley.net> wrote:
> > On Wed, Oct 25, 2017 at 8:44 AM, Germán Espinoza Tuesta
> > <gr._et at hotmail.com> wrote:
> >> Most of dynamic VLAN assignment implementations use these RADIUS
> attributes to work:
> >> Tunnel-Medium-Type = 6, #IEEE-802
> >> Tunnel-Private-Group-Id = "100"
> >> Is there a way for freeradius to return multiple values in
> >> I'm working in a project where I want a user to belong to multiple
> vlans. At the moment, working with a sql database.
> > This really depends more on what your specific NASes/clients can do
> > than if FreeRADIUS can return multiple attribute-value-pairs.
> > Since Tunnel-Private-Group-Id is a string - some device vendors
> > support a syntax in the returned string that allows for
> > tagging/multiple VLANs.
> > An example for a Foundry/Brocade/Ruckus ICX/Arris is something like this:
> > Tunnel-Private-Group-Id = "t:101;t:102;t:103;t:555;t:workstations"
> > This will cause the port to be tagged in VLANs 101, 102, 103, 555, and
> > whatever the VLAN named 'workstations' is on the switch (which can
> > differ in 802.1q tag value per switch that authenticates).
> > What vendor/NAS devices are you using? Have you checked with the
> > vendor to determine what attribute-value-pairs they are expecting and
> > if they support a tagging syntax? I have not seen much consistency in
> > this area with other vendors - it seems most just stop at implementing
> > the basics of 'We support dynamic VLAN via RADIUS' by allowing you to
> > specify a VLAN ID for untagged traffic.
> > --
> > jason
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users