Freeradius + DHCP +vlans ???
Phil Mayers
p.mayers at imperial.ac.uk
Thu Jul 26 10:16:44 CEST 2007
On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote:
> Hey guys
> I am a bit new to the scene and i am having a few problems with
> configuring freeradius. In essence what i want is that the user, once
> verified to be assigned to a specific vlan and get an ip address from a
> dhcp server, which will be aware of the vlans and there for assign
> different address and subnets to each. Does this scenario make any
yes
> sense? Will it be the freeradius server that will be notifying the dhcp
> server to aquire an address for the client? Will the dhcp server then
No
> contact the access point to let it know what address the client has been
> given and it in its turn give it to the client? Or will it be that the
No
> access point will contact the dhcp server once it has the reply from the
> freeradius server, giving it the vlan id/number and requesting an ip
> address and other info?
No
The way it works is:
1. Client does either 802.1x
2. Access point forwards authentication to radius server
3. Multiple 802.1x round-trips between client and radius server, via AP
4. When authentication is complete, the radius server returns an
Access-Accept with the vlan tag
5. Access point reads the vlan tag, assigns it
6. Client brings up it's IP stack, and emits a DHCP DISCOVER
7. AP forwards the clients packet into the vlan at layer2
8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server
9. DHCP server assigns an IP address based on source subnet & mac
address
There's no interaction between DHCP and Radius, no interaction between a
layer2 access point and DHCP (possibly dhcp option-82 insertion), and no
real interaction with a layer2 access point and any IP protocol.
Basically - you just configure the AP with >1 vlan, configure a router
for each VLAN with dhcp relay enabled, and configure the radius server
to tell the AP the right vlan number.
BEWARE: not all APs support vlan assignment.
>
> Is this the right or wrong way of going about this?
>
> regards
> George
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list