Freeradius + DHCP +vlans ???
George Beitis
george.beitis at gmail.com
Thu Jul 26 13:50:46 CEST 2007
Dear Phil
Firstly thank you for taking the time to reply and for your straight
forward reply to this matter. I 'm doing this as part of my MSc
project, well this is actually part of the initial setup, not the
project it self, and i have in my disposal a limited number of
devices. I borrowed a cisco aeronet 1200 access point from my
department, which supports vlans and i also have a linksys router
(wrt54gl) (which i will use as a switch) and i have an old computer with
one ethernet card which i intend to install freeradius on and a dhcp
server. From there on i might add some more devices each belonging to a
different vlan.
My thinking from what you said is to setup the vlans/tunnels on the
access point, setup freeradius and then run a dhcp server on the old
computer. If i want to add the dhcp server to many virtual lans do i
need to create some sort of virtual interface for each? Or does the
router need to be aware of where to forward dhcp packets coming from
different vlans?
thank you for your help
regards
George
Phil Mayers wrote:
> On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote:
>
>> Hey guys
>> I am a bit new to the scene and i am having a few problems with
>> configuring freeradius. In essence what i want is that the user, once
>> verified to be assigned to a specific vlan and get an ip address from a
>> dhcp server, which will be aware of the vlans and there for assign
>> different address and subnets to each. Does this scenario make any
>>
>
> yes
>
>
>> sense? Will it be the freeradius server that will be notifying the dhcp
>> server to aquire an address for the client? Will the dhcp server then
>>
>
> No
>
>
>> contact the access point to let it know what address the client has been
>> given and it in its turn give it to the client? Or will it be that the
>>
>
> No
>
>
>> access point will contact the dhcp server once it has the reply from the
>> freeradius server, giving it the vlan id/number and requesting an ip
>> address and other info?
>>
>
> No
>
> The way it works is:
>
> 1. Client does either 802.1x
> 2. Access point forwards authentication to radius server
> 3. Multiple 802.1x round-trips between client and radius server, via AP
> 4. When authentication is complete, the radius server returns an
> Access-Accept with the vlan tag
> 5. Access point reads the vlan tag, assigns it
> 6. Client brings up it's IP stack, and emits a DHCP DISCOVER
> 7. AP forwards the clients packet into the vlan at layer2
> 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server
> 9. DHCP server assigns an IP address based on source subnet & mac
> address
>
> There's no interaction between DHCP and Radius, no interaction between a
> layer2 access point and DHCP (possibly dhcp option-82 insertion), and no
> real interaction with a layer2 access point and any IP protocol.
>
> Basically - you just configure the AP with >1 vlan, configure a router
> for each VLAN with dhcp relay enabled, and configure the radius server
> to tell the AP the right vlan number.
>
> BEWARE: not all APs support vlan assignment.
>
>
>
>> Is this the right or wrong way of going about this?
>>
>> regards
>> George
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
>
More information about the Freeradius-Users
mailing list