Freeradius + DHCP +vlans ???
tnt at kalik.co.yu
tnt at kalik.co.yu
Thu Jul 26 15:16:52 CEST 2007
PS. In real life case you would send your dynamic vlan configuration with
IP addresses etc. from radius and keep your authentication, accounting
and IP administration in one place. That scales best.
Ivan Kalik
Kalik Informatika ISP
Dana 26/7/2007, "George Beitis" <george.beitis at gmail.com> piše:
>Hey Ivan
>no i dont have to use an external one, but it seems like the only choice
>as the Aironet 1200 access point does not come with one bundled it,
>which would have made my life easier, but on the other hand it wouldn't
>be extensible or simulate a real life case
>
>thanks for your reply
>regards
>George
>
>tnt at kalik.co.yu wrote:
>> Do you have to use an external DHCP server (project requirement)? Aironet
>> has one (Cisco IOS). You can define DHCP pools on the AP and pass avpair
>> for the pool with your vlan configuration from Freeradius. You can also
>> do away withDHCP, define ip_pools in Freeradius and pass addresses, DNS
>> etc. with vlan configuration directly from radius.
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>>
>> Dana 26/7/2007, "George Beitis" <george.beitis at gmail.com> piše:
>>
>>
>>> Dear Phil
>>> Firstly thank you for taking the time to reply and for your straight
>>> forward reply to this matter. I 'm doing this as part of my MSc
>>> project, well this is actually part of the initial setup, not the
>>> project it self, and i have in my disposal a limited number of
>>> devices. I borrowed a cisco aeronet 1200 access point from my
>>> department, which supports vlans and i also have a linksys router
>>> (wrt54gl) (which i will use as a switch) and i have an old computer with
>>> one ethernet card which i intend to install freeradius on and a dhcp
>>> server. From there on i might add some more devices each belonging to a
>>> different vlan.
>>>
>>> My thinking from what you said is to setup the vlans/tunnels on the
>>> access point, setup freeradius and then run a dhcp server on the old
>>> computer. If i want to add the dhcp server to many virtual lans do i
>>> need to create some sort of virtual interface for each? Or does the
>>> router need to be aware of where to forward dhcp packets coming from
>>> different vlans?
>>>
>>> thank you for your help
>>>
>>> regards
>>> George
>>>
>>> Phil Mayers wrote:
>>>
>>>> On Thu, 2007-07-26 at 02:00 +0100, George Beitis wrote:
>>>>
>>>>
>>>>> Hey guys
>>>>> I am a bit new to the scene and i am having a few problems with
>>>>> configuring freeradius. In essence what i want is that the user, once
>>>>> verified to be assigned to a specific vlan and get an ip address from a
>>>>> dhcp server, which will be aware of the vlans and there for assign
>>>>> different address and subnets to each. Does this scenario make any
>>>>>
>>>>>
>>>> yes
>>>>
>>>>
>>>>
>>>>> sense? Will it be the freeradius server that will be notifying the dhcp
>>>>> server to aquire an address for the client? Will the dhcp server then
>>>>>
>>>>>
>>>> No
>>>>
>>>>
>>>>
>>>>> contact the access point to let it know what address the client has been
>>>>> given and it in its turn give it to the client? Or will it be that the
>>>>>
>>>>>
>>>> No
>>>>
>>>>
>>>>
>>>>> access point will contact the dhcp server once it has the reply from the
>>>>> freeradius server, giving it the vlan id/number and requesting an ip
>>>>> address and other info?
>>>>>
>>>>>
>>>> No
>>>>
>>>> The way it works is:
>>>>
>>>> 1. Client does either 802.1x
>>>> 2. Access point forwards authentication to radius server
>>>> 3. Multiple 802.1x round-trips between client and radius server, via AP
>>>> 4. When authentication is complete, the radius server returns an
>>>> Access-Accept with the vlan tag
>>>> 5. Access point reads the vlan tag, assigns it
>>>> 6. Client brings up it's IP stack, and emits a DHCP DISCOVER
>>>> 7. AP forwards the clients packet into the vlan at layer2
>>>> 8. The vlan/subnet router forwards the DHCP DISCOVER to the DHCP server
>>>> 9. DHCP server assigns an IP address based on source subnet & mac
>>>> address
>>>>
>>>> There's no interaction between DHCP and Radius, no interaction between a
>>>> layer2 access point and DHCP (possibly dhcp option-82 insertion), and no
>>>> real interaction with a layer2 access point and any IP protocol.
>>>>
>>>> Basically - you just configure the AP with >1 vlan, configure a router
>>>> for each VLAN with dhcp relay enabled, and configure the radius server
>>>> to tell the AP the right vlan number.
>>>>
>>>> BEWARE: not all APs support vlan assignment.
>>>>
>>>>
>>>>
>>>>
>>>>> Is this the right or wrong way of going about this?
>>>>>
>>>>> regards
>>>>> George
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>>>>>
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>>
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/usershtml
>>>
>>>
>>>
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>>
>>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list