Using freeradius and 802.1x for dynamic VLAN
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Tue Oct 16 18:04:43 CEST 2007
Alan DeKok wrote:
> lvizcardof at unsa.edu.pe wrote:
> ...
>
>> What certificate i shoud use, so that valid the:
>> carlos User-Password == "carlos"
>> Service-Type = Framed-User,
>> Tunnel-Type = VLAN,
>> Tunnel-Medium-Type = IEEE-802,
>> Tunnel-Private-Group-Id = 2
>>
>> and if the user carlos access to the vlan 2, he can access, otherwise he
>> doesn't access.
>>
>
> RADIUS doesn't work that way. The NAS doesn't tell the server what
> VLAN the user is in, because the user is NOT in a VLAN until they have
> been authenticated.
>
Not true, see HPs Open VLAN feature. The NAS may also request that the
supplicant be put into a certain VLAN based on the static VLAN
assignment on the port the supplicant is connecting to.
rad_recv: Access-Request packet from host 139.184.9.175 port 1024,
id=119, length=306
Framed-MTU = 1480
NAS-IP-Address = xxx.xxx.xxx.xxx
NAS-Identifier = "xxxxxxxxxxxxxx"
User-Name = "xxx"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 28
NAS-Port-Type = Ethernet
NAS-Port-Id = "28"
Called-Station-Id = "xx-xx-xx-xx-xx-xx"
Calling-Station-Id = "xx-xx-xx-xx-xx-xx""
Connect-Info = "CONNECT Ethernet 10Mbps Half duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "700"
State = 0x20f6a63dccf5843da5b75a3deaca3c2d
EAP-Message =
Message-Authenticator =
Of course whether the Server decides to honor the NAS's request is
another matter.
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900
More information about the Freeradius-Users
mailing list