passing VLAN tag to clients
Phil Mayers
p.mayers at imperial.ac.uk
Tue Sep 14 18:40:23 CEST 2010
On 14/09/10 16:30, matteo at crs4.it wrote:
> Hello,
> I'm using Freeradius 2.1.8 on Fedora 13 with EAP-TTL and PAP with
> inner authentication with OpenLDAP as backend. Everything is working
> fine, but the problem is that I haven't an OpenLDAP "Radius oriented",
> that is there is no VLAN info in my LDIFs. So, is there a way,
> external to the authentication process, to pass the vlan tag to the
> clients so that the ports they're
> attached to might join the correct vlan?
You can run SQL queries or scripts in your radius config, after the LDAP
has run, or use any freeradius modules e.g. rlm_passwd which implements
a simple key/value lookup:
For example you could have in sites-enabled/inner-tunnel:
post-auth {
update control {
Tmp-String-0 = "%{exec:/path/to/script %{Calling-Station-Id}}"
}
if (control:Tmp-String-0) {
update reply {
Tunnel-Private-Group-Id := "%{control:Tmp-String-0}"
}
}
}
...obviously it's up to you to write the correct policy, depending on
where you've got the data stored. We use a relatively complex SQL stored
procedure for example, to give location-specific VLAN numbers based on
the machines known groups & registered IP addresses.
More information about the Freeradius-Users
mailing list