Patch for >1 match in hints file
Phil Mayers
p.mayers at imperial.ac.uk
Thu Aug 23 10:56:10 CEST 2007
On Thu, 2007-08-23 at 09:24 +0100, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
> > /etc/raddb/eth2name (used in a "passwd" to map Vendor to VendorName):
> >
> > 00-0c-29:virtual-vmware
> > 00-16-3e:virtual-xen
> >
> > /etc/raddb/users:
> >
> > # don't send banned vlan to virtual machines
> > DEFAULT VendorName =~ "virtual.*", Zone == "banned", Auth-Type := Reject
> >
> > # real machines get a banned vlan as opposed to rejection
> > DEFAULT Zone == "banned"
> > Tunnel-Medium-Type = IEEE-802,
> > Tunnel-Type = VLAN,
> > Tunnel-Private-Group-Id = `%{sql:...}`
>
> forgiveness for naivety, but if the virtual machine is not configured to use
> the ethernet in bridged mode (ie NAT mode) then you wont see it as a virtual
> machine(?)
Correct.
There are lots of circumstances where you might want them in bridged
mode though; specifically, we anticipate some users will have >1
supported, managed OS on their desktops - e.g. Managed linux install as
host for their research, managed windows install as a vmware guest for
running things like visio or outlook. NAT mode would hide the windows
box from standard tools e.g. SMS, pslist/psexec and so forth.
Our current switches get very upset if you send >1 vlan tag to them; and
since the only legit use-case we can think of for >1 host on a port is
virtual machines in bridged mode, we adopt the approach above.
More information about the Freeradius-Users
mailing list