passing VLAN tag to clients

Phil Mayers p.mayers at
Tue Sep 14 18:40:23 CEST 2010

On 14/09/10 16:30, matteo at wrote:
> Hello,
> I'm using Freeradius 2.1.8 on Fedora 13 with EAP-TTL and PAP with
> inner authentication with OpenLDAP as backend. Everything is working
> fine, but the problem is that I haven't an OpenLDAP "Radius oriented",
> that is there is no VLAN info in my LDIFs. So, is there a way,
> external to the authentication process, to pass the vlan tag to the
> clients so that the ports they're
> attached to might join the correct vlan?

You can run SQL queries or scripts in your radius config, after the LDAP 
has run, or use any freeradius modules e.g. rlm_passwd which implements 
a simple key/value lookup:

For example you could have in sites-enabled/inner-tunnel:

post-auth {
   update control {
     Tmp-String-0 = "%{exec:/path/to/script %{Calling-Station-Id}}"
   if (control:Tmp-String-0) {
     update reply {
       Tunnel-Private-Group-Id := "%{control:Tmp-String-0}"

...obviously it's up to you to write the correct policy, depending on 
where you've got the data stored. We use a relatively complex SQL stored 
procedure for example, to give location-specific VLAN numbers based on 
the machines known groups & registered IP addresses.

More information about the Freeradius-Users mailing list