Hash username or mac address to assign user to different vlan

[Phil Mayers]

On 18/02/11 14:16, Dean, Barry wrote:
> I have been asked to do just this and I am working on the solution
> now.
>
> We wanted to use multiple pools of VLANs/Subnets and assign "Staff"
> to one pool and "Students"# to the other. Then to select a VLAN
> within the pool, use a hashing function and select a VLAN.
>
> One concern I have is when is post-auth called? Would it get called
> for interim authentication requests? Because I don't want to be
> changing the VLAN mid sessions, which could potentially happen with a
> non-deterministic hash!

There is no such thing as an "interim" authentication request.

Post-auth is called after every auth.

I suspect you are referring to feature(s) on the switch(es) you use 
where it will "re-auth" the client after X minutes. That's just another, 
separate authentication as far as FreeRadius is concerned.

>
> In my tests I have been creating a hash from the 'State' attribute

That's a very bad idea. It will change mid-session and cause you huge 
problems.

We do pervasive VLAN assignment on a large scale here, and my advice is 
the same as others in the thread - don't use a hash value. Just map a 
user or group to a vlan.

If you need to "balance the numbers of users on a vlan" (why?) then you 
should log the vlan assignments to SQL and run a post-processing script 
that changes the assignment to keep the "load balanced".

Personally we just run big subnets to reduce the waste of IP space and 
configuration overhead.