Radius+Ldap:Allow the same host in multiple vlans

Ramon Escriba escriba at cells.es
Thu Sep 30 08:41:31 CEST 2010

I'm trying to organize my net using 802.1x able switches with freeradius

The system is running, at least @ test level but not yet deployed, but I
reach a cross road and finally I've to choose.

Or having one ldap subtree per vlan, filled with all host that bellong to
this one, or store inside
the host attributes all vlans it's allowed or may get in. 

The first "road" it's the one I've working actually, because I don't know
how to implement the second, the elegant one.

I have multiple devices that may belong to multiple vlans, so I shall have
duplicated hosts, which I don't like @ all. 

In order to keep things easy I only  use mac-"authentication", later 802.1x
EAP wit user+pass ( EAP Mschapv2 or TTLS).

The idea is to declare in one single place the vlans one host may be able to
from the first top priority vlan to try up to the last option..

Well, I'm using the radiusprofile attribute radiusTunnelGroupId to store the
Vlan name or tag.

If I set one host/user with the next "vlan tag" attributes:

radiusTunnelGroupId: 666  (Mad Scientist) 
radiusTunnelGroupId: 128  (Nut Engineers)
radiusTunnelGroupId: 256 (Nerd IT guys)
radiusTunnelGroupId: 51 ( blackhole control)


cn: stupid.device.001
radiusTunnelGroupId: 666  (Mad scientist) 
radiusTunnelGroupId: 999  (FusionCore)

The host/user, may have rights to connect to those vlans, from let say top
prority (666) to the lesser one (51) [ldap attribute order], 
in the first case, and only  666 or 999 in the second.

Some areas are restrited so only the ones with physical access may get
connection to the right vlan.

The problem is how may I configure radius so it may choose the "correct"
vlan. Or try one and if not possible keep trying 
until no more choices are available.

I also have "hungroups", but I realized, if I'm not wrong, that freeradius
only gets the first match, never tries the others, so:

BlackHoleCore NAS-IP-Address ==
VacuumCleaner NAS-IP-Address ==
CoffeeMachine NAS-IP-Address ==

When in freeradius "users" file I try "DEFAULT Huntgroup-Name ==
CoffeeMachine, Auth-Type = LDAPCoffee" it will never get in, 
because NAS-IP will always match BlackHoleCore, never the others.(
It's ok?? Or I'm wrong or may I have to change 
something to get/force/allow multiple target??)

A "problem" I found,I'm a newby in radius, is that I'm not able to choose
between the diferent vlans, 
as radius always try to match first value of multivaluated attributes
(radiusTunnelGroupId). I'm wrong again?

Freeradius send the ACK-OK to the NAS-switch with the target Vlan for this
device. If the "sent" vlan is not extended to that switch-NAS 
there fails silently( @ least seems so in Extreme networks), so the device
is not connected.

I was trying to use the "checkval" module, but I don't know it's the way it
was thinked off.
As far as I undertand I can not use it, maybe I'm wrong again. There's any
elegant way to do it?

Is that aproach, try the "next vlan" if exists @ ldap, possible, how?

Many Thanks.

More information about the Freeradius-Users mailing list