Hash username or mac address to assign user to different vlan

Alexander Clouter alex at digriz.org.uk
Thu Feb 17 20:26:39 CET 2011 

schilling <schilling2006 at gmail.com> wrote:
> 
> I get dynamic VLAN assignment working in post-auth section with 
> help/hints from a lot of list members. Now I want to do one more 
> steps. I would like to hash the username or mac-address to distribute 
> users to different VLANs. The idea is to use freeradius to spread the 
> load on different smaller subnets to reduce the broadcast in bigger 
> VLANs.
>
You are however not reducing the broadcast domain, you might be 
segregating the noise though.  If you have large L2 broadcast domains, 
splitting people up into different VLAN's is not going to in effect 
solve the problem.

For background noise, you can actually reduce chatter by asking Windows 
clients to disable NetBEUI via DHCP and configure switches/wifi to not 
forward client<->client traffic where appropriate.  For wireless networks 
you can also kill a lot of multicast traffic (5353/udp is a good example 
I would say).

Another possible work around is that VLAN 'facstaff' at site A is not 
the same broadcast domain at site B.

Better still, L3 is the way to go.  We have and it solves a lot of 
problems, although there is upfront migration pains.

> For example I want to do the following
> if ( "%{User-Name}" !~ /@/  ) {
>     if ( %{User-Name}%2 == 0 ) {
>               update reply {
>                       Service-Type = "Framed-User"
>                       Tunnel-Type = "VLAN"
>                       Tunnel-Medium-Type = "IEEE-802"
>                       Tunnel-Private-Group-Id = "facstaff0"
>               }
>   elsif ( %{User-Name}%2 == 1 ) {
>               update reply {
>                       Service-Type = "Framed-User"
>                       Tunnel-Type = "VLAN"
>                       Tunnel-Medium-Type = "IEEE-802"
>                       Tunnel-Private-Group-Id = "facstaff1"
>               }
>       }
> }
> 
> Will I be able to do this in the post-auth with unlang?
>
You probably would get better millege calling on 'md5' xlat, I think 
the following sort of thing will work:
----
authorise {
  update reply {
    Service-Type := Framed-User
    Tunnel-Type := VLAN
    Tunnel-Medium-Type := IEEE-802
  }

  # kludge to fake substr()
  if (%{md5:%{User-Name}} =~ /^(.)/) {
    if (%{1} =~ /^[0-7]/) {
      update reply {
        Tunnel-Private-Group-Id := "facstaff0"
      }
    } else {
      update reply {
        Tunnel-Private-Group-Id := "facstaff1"
      }
    }
  }
}
---- 

I would recommend L3-ising your network though if possible and as the 
rubberband-aid use DHCP/ACL's to keep broadcast/multicast traffic noise 
to a minimum.

Cheers

-- 
Alexander Clouter
.sigmonster says: RAM wasn't built in a day.

More information about the Freeradius-Users mailing list