Radius+Huwaei switch + auto VLan Assignment issue

Gennadii Redko uit1 at zaz.zp.ua
Tue Jun 23 13:47:15 CEST 2009


Try to use configs for 3com
H3C the almost same switch, as 3Com.

Attou eric пишет:
> Here is exactly the part of the documentation relative dynamique vlan-assignment through radius authentication :
> 1.3.5  Configuring Dynamic VLAN Assignment
> The dynamic VLAN assignment feature enables a switch to dynamically add the switch ports of successfully authenticated users to different VLANs according to the attributes assigned by the RADIUS server, so as to control the network resources that different users can access.
> Currently, the switch supports the following two types of assigned VLAN IDs: integer and string.
> l           Integer: If the RADIUS authentication server assigns integer type of VLAN IDs, you can set the VLAN assignment mode to integer on the switch (this is also the default mode on the switch). Then, upon receiving an integer ID assigned by the RADIUS authentication server, the switch adds the port to the VLAN whose VLAN ID is equal to the assigned integer ID. If no such a VLAN exists, the switch first creates a VLAN with the assigned ID, and then adds the port to the newly created VLAN.
> l           String: If the RADIUS authentication server assigns string type of VLAN IDs, you can set the VLAN assignment mode to string on the switch. Then, upon receiving a string ID assigned by the RADIUS authentication server, the switch compares the ID with existing VLAN names on the switch. If it finds a match, it adds the port to the corresponding VLAN. Otherwise, the VLAN assignment fails and the user fails the authentication.
> In actual applications, to use this feature together with Guest VLAN, you should better set port control to port-based mode.
> Table 1-9 Configure dynamic VLAN assignment
> Operation Command Description 
> Enter system view system-view — 
> Create an ISP domain and enter its view domainisp-name — 
> Set the VLAN assignment mode vlan-assignment-mode{ integer| string} Optional
> By default, the VLAN assignment mode is integer. 
> Create a VLAN and enter its view vlanvlan-id — 
> Set a VLAN name for VLAN assignment namestring This operation is required if the VLAN assignment mode is set to string. 
>  
>   Caution:
> l      In string mode, if the VLAN ID assigned by the RADIUS server is a character string containing only digits (for example, 1024), the switch first regards it as an integer VLAN ID: the switch transforms the string to an integer value and judges if the value is in the valid VLAN ID range; if it is, the switch adds the authenticated port to the VLAN with the integer value as the VLAN ID (VLAN 1024, for example).
> l      To implement dynamic VLAN assignment on a port where both MSTP and 802.1x are enabled, you must set the MSTP port to an edge port.
>  
>  
> Thanks 
> 
> 
> 
> 
> ________________________________
> De : Ivan Kalik <tnt at kalik.net>
> À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoyé le : Mardi, 23 Juin 2009, 10h51mn 15s
> Objet : Re: Re : Re : Re : Radius+Huwaei switch + auto VLan Assignment issue
> 
>> The Switch documentation said:
>>
>> If set to Integer the Vlan-assignment-mode allow the switch to use VLAN ID
>> to tag frames.
>>
>> If set to String it uses VLAN Name instead.
>>     
>>   So the Vlan-assignment-mode in the domain is Integer. But as the
>> Access-Accept message return
>>
>> Vlan ID in this format :
>>
>>       Tunnel-Private-Group-Id:0 = "2"
>>
>>    It seems we'd better set Vlan-assignment-mode to string.
> 
> How sure are you that your switch supports dynamic VLAN assignment (via
> radius not console)? Does it say that anywhere in the documentation?
> 
> Ivan Kalik
> Kalik Informatika ISP
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list