Hash username or mac address to assign user to different vlan

Kenneth Marshall ktm at rice.edu
Fri Feb 18 16:18:04 CET 2011


On Fri, Feb 18, 2011 at 03:02:49PM +0000, Dean, Barry wrote:
> 
> On 18 Feb 2011, at 14:26, Phil Mayers wrote:
> 
> > On 18/02/11 14:16, Dean, Barry wrote:
> >> I have been asked to do just this and I am working on the solution
> >> now.
> >> 
> >> We wanted to use multiple pools of VLANs/Subnets and assign "Staff"
> >> to one pool and "Students"# to the other. Then to select a VLAN
> >> within the pool, use a hashing function and select a VLAN.
> >> 
> >> One concern I have is when is post-auth called? Would it get called
> >> for interim authentication requests? Because I don't want to be
> >> changing the VLAN mid sessions, which could potentially happen with a
> >> non-deterministic hash!
> > 
> > There is no such thing as an "interim" authentication request.
> > 
> > Post-auth is called after every auth.
> > 
> > I suspect you are referring to feature(s) on the switch(es) you use 
> > where it will "re-auth" the client after X minutes. That's just another, 
> > separate authentication as far as FreeRadius is concerned
> 
> 	Yep, I was referring to the entries I see in my logs for "Interim-Update", which is of course an Accounting record, and I had always assumed this went with an Auth as well, but have never looked in detail to see! So I am most likely talking rubbish!
> 
> >> 
> >> In my tests I have been creating a hash from the 'State' attribute
> > 
> > That's a very bad idea. It will change mid-session and cause you huge 
> > problems.
> > 
> 
> 	I will not be using this then :-)
> 
> > We do pervasive VLAN assignment on a large scale here, and my advice is 
> > the same as others in the thread - don't use a hash value. Just map a 
> > user or group to a vlan.
> > 
> > If you need to "balance the numbers of users on a vlan" (why?) then you 
> > should log the vlan assignments to SQL and run a post-processing script 
> > that changes the assignment to keep the "load balanced".
> > 
> > Personally we just run big subnets to reduce the waste of IP space and 
> > configuration overhead.
> > 
> 
> I don't design the wireless network here, I just make the RADIUS work as best I can. It has been decided to have smaller private IP ranges each associated with a VLAN and balance the routing of these across two routers. Then I was asked if I can distribute the users across these VLANS evenly.
> 

This was the initial request from our network group as well.

> I am beginning to think a round robin allocation might just do!
> 

That is what they asked for, but the key is to provide a persistent
VLAN allocation for the length of the client's connection to the network.
You can either cache the current VLAN assignment from a pure round-robin
allocation which requires managing the information, expiring it as needed
and other sorts of maintenance activities. In the end, using the hash of
a static client parameter such as User-Name or MAC address gives you an
even distribution without the maintenance headaches.

Cheers,
Ken

> However, the goal posts could move again yet! Latest news is that we will have 1 pool of VLANs, so time to tear up the existing code and take a fresh look! I currently have no idea how big these subnets will be either.
> 


> ----------------------
> Barry Dean
> Principal Programmer/Analyst
> Networks Group
> Computing Services Department
> Tel: 0151 795 9540
> Skype: barryvdean
> 


Content-Description: ATT00001.txt
> 
> 
> ---
> Nice boy, but about as sharp as a sack of wet mice.
>                -- Foghorn Leghorn
> 

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list