About using groups

Mon Aug 22 08:25:16 UTC 2022

Hi guys!
I'm interested to use MAB (mac-address bypass) for dot1x in LAN and to define vlan's number for LAN-switch's port based on mac-address. I use 'users' in Freeradius 3.0 and now should have something like this for each of mac-address in my LAN:
a4-bb-6d-c6-2a-b8 Cleartext-Password := "a4-bb-6d-c6-2a-b8"
        cisco-avpair= "tunnel-type=13",
        cisco-avpair= "tunnel-medium-type=6",
        cisco-avpair= "tunnel-private-group-id=2"
or
00-90-8f-55-eb-ee Cleartext-Password := "00-90-8f-55-eb-ee"
        cisco-avpair= "tunnel-type=13",
        cisco-avpair= "tunnel-medium-type=6",
        cisco-avpair= "tunnel-private-group-id=7",
        cisco-avpair = "device-traffic-class=voice"

Most of strings are the same for all such a 'users'. Obviously I want to define some 'group' for each vlan number in which define common strings/attributes, and in the user section keep only unique attributes - like password or group-id. It should be 3-4 such groups for now. Can I?

  1.  Probably, it could be done with Default sections, but for different vlans I should have separate 'default' section? It seems too complicated and I have no idea how to make it.
  2.  Or it can be done in 'post-auth' section, but how in that time I can guess what group this mac-address belongs? Probably, I should define it earlier - based on mac-address in 'user' section. Can I?

--------------------
Regards,
Alexander