> So far, I managed to do the dynamic VLAN assignment, but cannot seem to
> get it to work together with the MAC checking.
Get them working independently. Then, put the pieces together.
> I can get an auth to be refused if the MAC is not listed in thePut it into "authorize".
> authorized_macs file, but can't quite put the two things together.
> Perhaps I am a bit confused with regards to where to put the MAC check.
> For now, I just managed to get the check to work only on theThat can be fixed.
> authorization phase in sites-enabled/default, but then the VLAN
> assignment, which is done in the internal-tunnel, seems to overwrite my
> changes.
Because the "users" file works differently there.
> So I tried to put the MAC check in the post-auth section in the default
> file, but the MAC check doesn't seem to ever work.
Which seem to use a reasonable approach.
> Here are the relevant config files:
I think part of the problem is you're juggling a lot. You also
> As you can see, the device wasn't listed in the file, the authentication
> went fine, saying that the tunnel that I should get has ID 40, but that
> wasn't overwritten by the authorized_macs check...
mentioned MACs and VLANs... and then halfway through the message "Oh,
there's an inner-tunnel, too".
Stop with all of your solutions. Instead, write down exactly what you
have. Write down what you want to happen in plain English. Write down
what should happen, and when. Then, convert it to the configuration.
Your system is using TTLS. OK... I'll ignore the question of *why*
you're authenticating unknown MACs. That seems weird.
The debug log shows this:
Where did that VLAN come from? Why is it there? If you don't know,
[ttls] Got tunneled reply code 2
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "40"
that's a huge problem.
Generally, the policies should be arranged like this:
authorize: allow only known kinds of authentication
decide which authentication method to use
grab "known good" passwords
authenticate: run authentication methods
post-auth: return attributes for a successfully authenticated user
In your case, I'd say return to a default configuration. Then, get
the MAC address filtering working in post-auth. Once that's working,
add VLAN assignment.