suggestions for multiple vlans in hundreds of switches

Phil Mayers p.mayers at
Sat Apr 21 14:52:48 CEST 2007

Arran Cudbard-Bell wrote:
>> This could also be done cleaner (but slower) with cleverly designed SQL 
>> tables or stored procedures
> Yeah, complex sql really can be quite slow, specially when the queries 
> are being run multiple times for all the rounds required in eap 
> authentication.

You've seen Alans hint re: only running on the tunnel so that helps there.

> I use a second instance of preprocess to read a second hints file called 
> 'nas_hints' this uses dynamic sql queries to grab extra nas_attributes 
> from the server.

That's a clever trick.

One of the main advantages of the rlm_passwd module is that it can add 
items to the *request* as well as the config and reply items. It would 
be extremely handy if the SQL module could do this too.

Specifically I can think of uses for 2-pass SQL queries where one would 
want to use data returned from the 1st query in the 2nd. This is 
basically impossible to do without using stored procedures at the moment.

Regarding your bitmask trick - maybe there's a use for bitwise 
operators, e.g.:

# NAS-Features - integer bitfield
# 128 - router, admins only
#  64 - do vlan assignment
#  32 - do IP assignment

DEFAULT	NAS-Features & 128, SQL-Group != "ADMINS", Auth-Type := Reject
	Reply-Message = "admins only"

DEFAULT	NAS-Features & 64
	Tunnel-Private-Group-Id = `%{sql:select vlan('%{NAS-IP-Address}', 
	Fall-Through = Yes

DEFAULT	NAS-Features & 32, Pool-Name := "something"

...and so on

More information about the Freeradius-Users mailing list