Multiple VLAN value per user

Germán Espinoza Tuesta gr._et at hotmail.com
Wed Oct 25 18:50:54 CEST 2017


I need users registered in RADIUS database (sql or ldap) to be assigned to multiple vlans in a Software Defined Network. Upon receiving vlan values from RADIUS, hostapd needs to forward those values to an OpenFlow controller.  I think this is beyond freeradius, thanks for your feedback.


Best regards,


German Espinoza<http://aka.ms/weboutlook>


________________________________
De: Freeradius-Users <freeradius-users-bounces+gr._et=hotmail.com at lists.freeradius.org> en nombre de Alan Buxey <alan.buxey at gmail.com>
Enviado: miércoles, 25 de octubre de 2017 16:24
Para: FreeRadius users mailing list
Asunto: Re: Multiple VLAN value per user

Well, the value returned can be anything , it's all down to what the NAS
supports. What is hostapd going to do if returned multiple vlan tags or a
string, what are you trying to achieve?

alan

On 25 Oct 2017 4:44 pm, "Germán Espinoza Tuesta" <gr._et at hotmail.com> wrote:

> Thanks for feedback, I'm working with open source software (hostapd
> installed in OpenWRT). Hardware: Wireless access point TPLink WDR3600
>
> Considering Tunnel-Private-Group-Id is a string, I may be able to modify
> hostapd source code to receive a syntax like the one you pointed:
>
> Tunnel-Private-Group-Id = "t:101;t:102;t:103;t:555"
>
> Best regards,
>
> Germán Espinoza
>
> > On Oct 25, 2017, at 10:23, Jason Ackley <jason at ackley.net> wrote:
> >
> > On Wed, Oct 25, 2017 at 8:44 AM, Germán Espinoza Tuesta
> > <gr._et at hotmail.com> wrote:
> >
> >> Most of dynamic VLAN assignment implementations use these RADIUS
> attributes to work:
> >>
> >> Tunnel-Medium-Type = 6,   #IEEE-802
> >>
> >> Tunnel-Private-Group-Id = "100"
> >>
> >> Is there a way for freeradius to return multiple values in
> Tunnel-Private-Group-Id.
> >>
> >> I'm working in a project where I want a user to belong to multiple
> vlans. At the moment, working with a sql database.
> >
> >
> > This really depends more on what your specific NASes/clients can do
> > than if FreeRADIUS can return multiple attribute-value-pairs.
> >
> > Since Tunnel-Private-Group-Id is a string - some device vendors
> > support a syntax in the returned string that allows for
> > tagging/multiple VLANs.
> >
> > An example for a Foundry/Brocade/Ruckus ICX/Arris is something like this:
> >
> >   Tunnel-Private-Group-Id = "t:101;t:102;t:103;t:555;t:workstations"
> >
> > This will cause the port to be tagged in VLANs 101, 102, 103, 555, and
> > whatever the VLAN named 'workstations' is on the switch (which can
> > differ in 802.1q tag value per switch that authenticates).
> >
> > What vendor/NAS devices are you using? Have you checked with the
> > vendor to determine what attribute-value-pairs they are expecting and
> > if they support a tagging syntax? I have not seen much consistency in
> > this area with other vendors - it seems most just stop at implementing
> > the basics of 'We support dynamic VLAN via RADIUS' by allowing you to
> > specify a VLAN ID for untagged traffic.
> >
> >
> >
> > --
> > jason
> >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list