VLAN ID based on VSAs

Phil Mayers p.mayers at imperial.ac.uk
Mon Mar 5 11:58:13 CET 2012


On 05/03/12 09:38, Stefano Zanmarchi wrote:
> Hi,
> my first post here, a newbie question, thanks for your help.
> I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5).
> ServerB will be connected to an AP and I want it to proxy all EAP
> requests to serverA  (TTLS-PAP
> will be the only method accepted) which will do authentication using
> an OpenLDAP backend.

Ok. That's a weird config, but ok.

> My question:
> I'd like to configure serverA to include in the Access-Accept packet
> some AVPs which are specific
> to my Organization, like department_name, employee_role (I believe
> these are the so called VSAs),
> and I'd like serverB to perform some if-then-else logic on these VSAs
> to dinamically calculate the
> VLAN-ID to return to the AP.
> Is this possible (in a simple way)? Is it a common set up?

It's not common.

It is pretty easy though; on serverB do something like this:

post-proxy {
   ...
   # Ensure this filter permits "Some-Attr"
   attr_filter.name
}

post-auth {
   if (reply:Some-Attr == ...) {
     update reply {
       My-Vlan := 123
     }
   }
}

See the sample config for more details on the attr_filter module, and 
"man unlang" for more info on processing.


More information about the Freeradius-Users mailing list