Hash username or mac address to assign user to different vlan

Dean, Barry B.Dean at liverpool.ac.uk
Fri Feb 18 16:02:49 CET 2011 

On 18 Feb 2011, at 14:26, Phil Mayers wrote:

> On 18/02/11 14:16, Dean, Barry wrote:
>> I have been asked to do just this and I am working on the solution
>> now.
>> 
>> We wanted to use multiple pools of VLANs/Subnets and assign "Staff"
>> to one pool and "Students"# to the other. Then to select a VLAN
>> within the pool, use a hashing function and select a VLAN.
>> 
>> One concern I have is when is post-auth called? Would it get called
>> for interim authentication requests? Because I don't want to be
>> changing the VLAN mid sessions, which could potentially happen with a
>> non-deterministic hash!
> 
> There is no such thing as an "interim" authentication request.
> 
> Post-auth is called after every auth.
> 
> I suspect you are referring to feature(s) on the switch(es) you use 
> where it will "re-auth" the client after X minutes. That's just another, 
> separate authentication as far as FreeRadius is concerned

	Yep, I was referring to the entries I see in my logs for "Interim-Update", which is of course an Accounting record, and I had always assumed this went with an Auth as well, but have never looked in detail to see! So I am most likely talking rubbish!

>> 
>> In my tests I have been creating a hash from the 'State' attribute
> 
> That's a very bad idea. It will change mid-session and cause you huge 
> problems.
> 

	I will not be using this then :-)

> We do pervasive VLAN assignment on a large scale here, and my advice is 
> the same as others in the thread - don't use a hash value. Just map a 
> user or group to a vlan.
> 
> If you need to "balance the numbers of users on a vlan" (why?) then you 
> should log the vlan assignments to SQL and run a post-processing script 
> that changes the assignment to keep the "load balanced".
> 
> Personally we just run big subnets to reduce the waste of IP space and 
> configuration overhead.
> 

I don't design the wireless network here, I just make the RADIUS work as best I can. It has been decided to have smaller private IP ranges each associated with a VLAN and balance the routing of these across two routers. Then I was asked if I can distribute the users across these VLANS evenly.

I am beginning to think a round robin allocation might just do!

However, the goal posts could move again yet! Latest news is that we will have 1 pool of VLANs, so time to tear up the existing code and take a fresh look! I currently have no idea how big these subnets will be either.

----------------------
Barry Dean
Principal Programmer/Analyst
Networks Group
Computing Services Department
Tel: 0151 795 9540
Skype: barryvdean

-------------- next part --------------
A non-text attachment was scrubbed...
Name: h1_a.png
Type: image/png
Size: 3693 bytes
Desc: h1_a.png
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/ff8f7e23/attachment.png>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110218/ff8f7e23/attachment.txt>

More information about the Freeradius-Users mailing list