Question on Cisco-AVPair = "device-traffic-class=voice"
Matthew Newton
mcn4 at leicester.ac.uk
Sat Jun 23 10:17:47 CEST 2012
On Sat, Jun 23, 2012 at 08:35:31AM +0800, John wrote:
> With this solution, both Ip phone or other device will be marked
> as 'voice', right?
Yes
> Can we distinguish it is a 'voice' device? then add
> Cisco-AVPair = "device-traffic-class=voice" . otherwise, don't
> add this attribute.
I hit exactly this issue this week.
It depends on what your NAS sends in the request. Annoyingly it
seems that Cisco doesn't send anything useful apart from the MAC
address in Calling-Station-Id (that I can find), or the username
or certificate checks if you're using 802.1x rather than MAB.
(In my case, at this stage, I'm less concerned about the security
and would more like logging and an easy way to block a MAC
address, so if the switch send device class details, or even PoE
state, from LLDP or CDP, it would be much more useful, but I
haven't yet found a way to get it to do that.)
So you either look it up in a database, or check the MAC prefix.
Something like
if (Calling-Station-Id =~ /^001122/) {
update reply...
}
As I said before -
> man unlang
Cisco specifically say in their documentation that you can't check
the mac address prefix if you're using Cisco phones, though, as
unlike some other more useful manufacturers they use many
different prefixes for their phones. That pushes you to have to
use a database of some kind if you use their system (which
thankfully we don't).
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Architect (UNIX and Networks), Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list