About using groups

Mon Aug 22 12:22:42 UTC 2022

On Aug 22, 2022, at 4:25 AM, Семенюк Александр Петрович <SemenyukAP at nn-edinstvo.ru> wrote:
> I'm interested to use MAB (mac-address bypass) for dot1x in LAN and to define vlan's number for LAN-switch's port based on mac-address. I use 'users' in Freeradius 3.0 and now should have something like this for each of mac-address in my LAN:
...
> 
> Most of strings are the same for all such a 'users'. Obviously I want to define some 'group' for each vlan number in which define common strings/attributes, and in the user section keep only unique attributes - like password or group-id. It should be 3-4 such groups for now. Can I?

  Yes.  See the mods-available/etc_group file.  You can change the "filename" to be in the raddb directory.  And then put MAC addresses into it.

>  1.  Probably, it could be done with Default sections, but for different vlans I should have separate 'default' section? It seems too complicated and I have no idea how to make it.
>  2.  Or it can be done in 'post-auth' section, but how in that time I can guess what group this mac-address belongs? Probably, I should define it earlier - based on mac-address in 'user' section. Can I?

  It doesn't really matter where it goes.

  If it was me, I'd put the MAC addresses into an SQL DB.  One column is MAC, and another is VLAN.  Then do something like:

authorize {
	...

	if (&User-Name == &User-Password) {
		if ("%{sql:SELECT MAC from mac_table WHERE MAC=%{User-Name}") {
			update reply {
				Tunnel-Type = 13
				Tunnel-Medium-Type = 6
				Tunnel-Private-Group-Id = "%{sql:SELECT VLAN from mac_table WHERE MAC=%{User-Name}"	
			}
		}
	}

  You have to edit / test that for your system, but that's the basic idea.

  And I'm not sure why you've put all of the tunnel attributes into Cisco-AVpair.  That shouldn't be necessary.

  Alan DeKok.