Robert wrote: > Hello all, > > I currently have FR running and happily doing MAC authentication against > a MYSQL DB. > > I can plug a computer into the switch, have the switch grab the MAC > addy, pass it to FR, hit the DB and return what VLAN that MAC belongs > to, and then have the switch configure to port to the correct VLAN. > > Now the complication that I'm facing is that in our environment, a MAC > might be assigned to multiple VLANs and our switches only have a > fraction of the total number VLANs trunked to them. > > What I need is a way FR can not only match the MAC to a VLAN, but also > to cross reference that result to the VLANs that are available from the > requesting switch.
If your switches are groups into relatively few sets with the same vlans (e.g. buildings) then you can use an rlm_passwd to map NAS-IP-Address to My-Switch-Group, an rlm_passwd to match Calling-Station-Id to My-Client-Group then in "users": DEFAULT My-Switch-Group == "building1", My-Client-Group == "BANNED" Tunnel-Private-Group-Id = 123 ...etc. Best would be to use SQL though ("select * from stored_procedure") or an external script (Exec-Program) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html