unidentified users and vlan assignment
Phil Mayers
p.mayers at imperial.ac.uk
Wed Sep 15 16:30:42 CEST 2010
On 15/09/10 12:30, Fabien COMBERNOUS wrote:
> Thank you Phil for your answer.
>
> On 15/09/2010 11:09, Phil Mayers wrote:
>>
>> Are you using 802.1x or macauth?
>>
>> If you are sending an access-reject, you can't assign a vlan. Reject
>> means "give no service". You either need to send an accept with a
>> vlan, or look for a "reject vlan" feature on your switch.
> I'm using macauth. But how to assign a vlan on devices unidentified ?
That's a bit easier, but will depend on how you're looking up vlans.
For example, we used to do this:
authorize {
update control {
Tmp-String-0 := "%{sql:select vlan ...}"
}
if (control:Tmp-String-0) {
update reply {
Tunnel-Private-Group-Id = "%{control:Tmp-String-0}"
}
}
else {
# mac address is unknown - use fallback vlan
update reply {
Tunnel-Private-Group-Id = 1234
}
}
}
If you were using rlm_passwd you could do something like:
modules {
passwd macvlan {
# this file should contain: m:a:c:a:d:r,vlan
filename = ${confdir}/macvlan.txt
format = "*Calling-Station-Id:=Tunnel-Private-Group-Id"
delimiter = ","
}
}
authorize {
mac2vlan
if (notfound) {
update reply {
Tunnel-Private-Group-Id = 1234
}
}
}
...and so on.
More information about the Freeradius-Users
mailing list