Hash username or mac address to assign user to different vlan

Kenneth Marshall ktm at rice.edu
Thu Feb 17 21:09:07 CET 2011 

On Thu, Feb 17, 2011 at 02:06:18PM -0500, schilling wrote:
> Hi All,
> 
> I get dynamic VLAN assignment working in post-auth section with
> help/hints from a lot of list members. Now I want to do one more
> steps. I would like to hash the username or mac-address to distribute
> users to different VLANs. The idea is to use freeradius to spread the
> load on different smaller subnets to reduce the broadcast in bigger
> VLANs.
> 
> For example I want to do the following
>  if ( "%{User-Name}" !~ /@/  ) {
>      if ( %{User-Name}%2 == 0 ) {
>                update reply {
>                        Service-Type = "Framed-User"
>                        Tunnel-Type = "VLAN"
>                        Tunnel-Medium-Type = "IEEE-802"
>                        Tunnel-Private-Group-Id = "facstaff0"
>                }
>    elsif ( %{User-Name}%2 == 1 ) {
>                update reply {
>                        Service-Type = "Framed-User"
>                        Tunnel-Type = "VLAN"
>                        Tunnel-Medium-Type = "IEEE-802"
>                        Tunnel-Private-Group-Id = "facstaff1"
>                }
>        }
> }
> 
> Will I be able to do this in the post-auth with unlang?
> 
> Thanks,
> 
> Schilling
> 

I did not see how that could be done with just unlang and
we implemented it with a perl function that calculated a 32-bit
checksum of the User-Name and used that with the modulo function
to assign to the appropriate VLAN. Here is the authorize function
that we are using:

# Function to handle authorize
sub authorize {
        # For debugging purposes only
#       &log_request_attributes;

        # Here's where your authorization code comes
        # You can call another function from here:
#       &test_call;
        #
        # Calculate the 32-bit checksum of the User-Name to use for
        # assigning the VLAN number.
        $chksum_username = unpack("%32C*", $RAD_REQUEST{'User-Name'});

        if ($RAD_REPLY{'Connect-Info'} =~ /visitor/i) {
                $RAD_REPLY{'Tunnel-Private-Group-Id'} = "visitor0" . ($chksum_username % 8 + 1);
        } elsif ($RAD_REPLY{'Connect-Info'} =~ /staff/i) {
                $RAD_REPLY{'Tunnel-Private-Group-Id'} = "staff0" . ($chksum_username  % 8 + 1);
        } elsif ($RAD_REPLY{'Connect-Info'} =~ /student/i) {
                $RAD_REPLY{'Tunnel-Private-Group-Id'} = "student0" . ($chksum_username % 8 + 1);
        }

        return RLM_MODULE_UPDATED;
}


Regards,
Ken

More information about the Freeradius-Users mailing list