Dynamic VLAN assignment depending on LDAP user group and MAC address
Alan DeKok
aland at deployingradius.com
Sun Oct 13 03:51:00 CEST 2013
Fabrizio Vecchi wrote:
> I guess at the end of the day my question boils down to the following:
> where should I put the MAC check, so that the user gets assigned to the
> right VLAN?
In post-auth.
> If I put it in the authorize part of sites-enabled/default, the VLAN
> update request will get overwritten by the post-auth part of
> sites-enabled/inner-tunnel;
The default configuration for the inner-tunnel does *not* set a VLAN
in post-auth. So one configuration you added prevents you from using
another configuration you added.
> and if I put it in the post-auth of the file
> sites-enabled/default file (which gets executed after inner-tunnel), the
> authorized_macs function always returns noop.
Delete the "set VLAN" stuff from the post-auth of the inner tunnel.
As you've seen, it breaks the other configuration you're trying to use.
When you put "authorized_macs" into the "post-auth", it runs the
"post-auth" processing. Which doesn't read the "users" file... as the
"users" file is done only in the "authorize" section.
You should be able to put "authorized_macs.authorize" in the post-auth
section. That will make it process the "users" file, and do what you want.
Alan DeKok.
More information about the Freeradius-Users
mailing list