Dynamic VLAN - limiting switchs VLANs?
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Mon May 21 22:27:46 CEST 2007
Phil Mayers wrote:
> Robert wrote:
>
>> Hello all,
>>
>> I currently have FR running and happily doing MAC authentication against
>> a MYSQL DB.
>>
>> I can plug a computer into the switch, have the switch grab the MAC
>> addy, pass it to FR, hit the DB and return what VLAN that MAC belongs
>> to, and then have the switch configure to port to the correct VLAN.
>>
>> Now the complication that I'm facing is that in our environment, a MAC
>> might be assigned to multiple VLANs and our switches only have a
>> fraction of the total number VLANs trunked to them.
>>
>> What I need is a way FR can not only match the MAC to a VLAN, but also
>> to cross reference that result to the VLANs that are available from the
>> requesting switch.
>>
>
> If your switches are groups into relatively few sets with the same vlans
> (e.g. buildings) then you can use an rlm_passwd to map NAS-IP-Address to
> My-Switch-Group, an rlm_passwd to match Calling-Station-Id to
> My-Client-Group then in "users":
>
> DEFAULT My-Switch-Group == "building1", My-Client-Group == "BANNED"
> Tunnel-Private-Group-Id = 123
>
> ...etc.
>
> Best would be to use SQL though ("select * from stored_procedure") or an
> external script (Exec-Program)
>
The other way to do it is to use SQL xlat, and a second hints file to write SQL return values into the request packet.
DEFAULT
My-Switch-Group = "%{sql:SELECT switch_group FROM `where_ever` WHERE ip = %{NAS-IP-Address}}"
When stored procedures are sorted you should be able to get results from them in the same way ...
--
Arran
More information about the Freeradius-Users
mailing list