Hash username or mac address to assign user to different vlan

schilling schilling2006 at gmail.com
Thu Feb 17 20:06:18 CET 2011


Hi All,

I get dynamic VLAN assignment working in post-auth section with
help/hints from a lot of list members. Now I want to do one more
steps. I would like to hash the username or mac-address to distribute
users to different VLANs. The idea is to use freeradius to spread the
load on different smaller subnets to reduce the broadcast in bigger
VLANs.

For example I want to do the following
 if ( "%{User-Name}" !~ /@/  ) {
     if ( %{User-Name}%2 == 0 ) {
               update reply {
                       Service-Type = "Framed-User"
                       Tunnel-Type = "VLAN"
                       Tunnel-Medium-Type = "IEEE-802"
                       Tunnel-Private-Group-Id = "facstaff0"
               }
   elsif ( %{User-Name}%2 == 1 ) {
               update reply {
                       Service-Type = "Framed-User"
                       Tunnel-Type = "VLAN"
                       Tunnel-Medium-Type = "IEEE-802"
                       Tunnel-Private-Group-Id = "facstaff1"
               }
       }
}

Will I be able to do this in the post-auth with unlang?

Thanks,

Schilling


---------- Forwarded message ----------
From: schilling <schilling2006 at gmail.com>
Date: Tue, Jan 25, 2011 at 10:19 AM
Subject: Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>


I believe I resolved this.  I used eapol_test to get all wanted
result, and will try on real NAS later on.

The following is what I did. Basically I followed Alexander's example,
Modified peap section in eap.conf to use another virtual server "auth"
instead of inner-tunnel virtual server.  I almost blindly copied
Alexander's example in auth server except I removed the reject for the
realm checks.

The ldap cache pm is not needed in my case since I do not query
windows AD via LDAP to get their attributes. If I want to do ldap
after ntlm against AD, then Alexander's pm might be needed.

Then I want to map certain attribute like employeeStatus from our
iPlanet ldap server to some radius attribute, so I can manipulate it
in the post-auth section.
I put the following line in etc/raddb/dictionary
ATTRIBUTE       My-Local-employeeStatus 3000    string

and the following line in etc/raddb/ldap.attrmap
#FOO specific attributes
replyItem       My-Local-employeeStatus         employeeStatus

Without these two line addition, radius will complain unknown attribute.

Then in the post-auth section

#default will have no Tunnel attribute/value, instead, they will be
configured on
#the NAS to go to student VLANs.

# this will cover my ldap ntPassword authentication/authorization
#facstaff have employeeStatus set while student does not
       if ( "%{User-Name}" =~ /@/ && "%{reply:My-Local-employeeStatus}" ) {
               update reply {
                       Service-Type = "Framed-User"
                       Tunnel-Type = "VLAN"
                       Tunnel-Medium-Type = "IEEE-802"
                       Tunnel-Private-Group-Id = "facstaff"
               }
       }
#this will cover my AD ntlm auth, People in AD are all facstaff
       if ( "%{User-Name}" !~ /@/  ) {
               update reply {
                       Service-Type = "Framed-User"
                       Tunnel-Type = "VLAN"
                       Tunnel-Medium-Type = "IEEE-802"
                       Tunnel-Private-Group-Id = "facstaff"
               }
       }

In this way, people can map arbitrary attribute from ldap to radius,
if not in dictionary/ldap.attrmap, then just defined your own. Then
you have flexibility of using these attribute/value in your logic at
post-auth section.

Thanks all for the hints and help!

Schilling



More information about the Freeradius-Users mailing list