vlan and freeradius
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Wed Mar 3 15:46:06 CET 2010
Hi,
> Hello,
>
> so i would like to redirect my winxp authenticated to VLAN1 and if not authenticated , this client must be in vlan2
>
> i got a switch cisco
>
> so how to handla this with freeradius?
read the cisco docs on dealing with 802.1X.
you should never use VLAN1 for users - most would say you shouldnt use VLAN1
for anything on cisco kit - its the default native vlan.
what you need to do is set the port on the switch to do 802.1X...then you can either
do the following
1) set the access vlan to X, then se the fail VLAN to Y and the guest VLAN to Y
or (my preferred way)
2) set the switch to use RADIUS return attributes for VLAN (and for session time etc)
and set the fail VLAN and guest VLAN to Y
where X is the access vlan for auth and Y is the chosen fail vlan
why do method 2? well, its then easy/quick to change the VLAN returned to the switch
no matter where on campus/site/infrastructure - its all done via decisions made
on the radius server.
the return attributeS?
'Tunnel-Medium-Type'} = "IEEE-802"
'Tunnel-Type' = "VLAN"
'Tunnel-Private-Group-Id' = "666"
'Session-Timeout' = "28800"
'Termination-Action' = "RADIUS-Request"
that would set the VLAN to be 666 with an 8 hour timeout.
these can be set via users file, SQL, perl, python etc. we use a PERL script in the post-auth section
alan
More information about the Freeradius-Users
mailing list