Dynamic VLAN - limiting switchs VLANs?
Phil Mayers
p.mayers at imperial.ac.uk
Mon May 21 17:52:14 CEST 2007
Robert wrote:
> Hello all,
>
> I currently have FR running and happily doing MAC authentication against
> a MYSQL DB.
>
> I can plug a computer into the switch, have the switch grab the MAC
> addy, pass it to FR, hit the DB and return what VLAN that MAC belongs
> to, and then have the switch configure to port to the correct VLAN.
>
> Now the complication that I'm facing is that in our environment, a MAC
> might be assigned to multiple VLANs and our switches only have a
> fraction of the total number VLANs trunked to them.
>
> What I need is a way FR can not only match the MAC to a VLAN, but also
> to cross reference that result to the VLANs that are available from the
> requesting switch.
If your switches are groups into relatively few sets with the same vlans
(e.g. buildings) then you can use an rlm_passwd to map NAS-IP-Address to
My-Switch-Group, an rlm_passwd to match Calling-Station-Id to
My-Client-Group then in "users":
DEFAULT My-Switch-Group == "building1", My-Client-Group == "BANNED"
Tunnel-Private-Group-Id = 123
...etc.
Best would be to use SQL though ("select * from stored_procedure") or an
external script (Exec-Program)
More information about the Freeradius-Users
mailing list