suggestions for multiple vlans in hundreds of switches
Phil Mayers
p.mayers at imperial.ac.uk
Fri Apr 20 18:37:50 CEST 2007
Matt Ashfield wrote:
> Hi,
>
> We'd like to use FR to assign users on our wired network to one of 30
> different vlans on campus, based on an LDAP field. Currently, we are doing
> this with huntgroups. Namely, we create a huntgroup for the NAS (in our
> case, a network switch), and then in the users file, we put the following:
Credit to Alan DeKok for this idea - it was one of the first questions I
asked on the list.
Use two rlm_passwd modules to add "fake" items to the *request*:
passwd nas2building {
file = /etc/raddb/nas2building
format = "*NAS-IP-Address:~MyBuilding"
hashsize = 100
}
passwd user2vlantype {
file = /etc/raddb/user2vlantype
format = "*User-Name:~MyVlanType"
hashsize = 100
allowmultiplekeys = yes
}
...then in the users file you reduce NxM to AxB which is a hopefully
smaller combination:
DEFAULT MyBuilding == "facility1", MyVlanType == "guests"
...
DEFAULT MyBuilding == "facility1", MyVlanType == "staff"
...
Note that if you're caching the files, FreeRadius will need to be HUPed
to re-read them (boo!). Also, you'll need to add the MyXXX attributes to
the dictionary like so:
ATTRIBUTE MyBuilding 3000 string
ATTRIBUTE MyVlanType 3001 string
This could also be done cleaner (but slower) with cleverly designed SQL
tables or stored procedures
More information about the Freeradius-Users
mailing list