On 15/09/10 12:30, Fabien COMBERNOUS wrote:
Thank you Phil for your answer.
On 15/09/2010 11:09, Phil Mayers wrote:
Are you using 802.1x or macauth?
If you are sending an access-reject, you can't assign a vlan. Reject
means "give no service". You either need to send an accept with a
vlan, or look for a "reject vlan" feature on your switch.
I'm using macauth. But how to assign a vlan on devices unidentified ?
That's a bit easier, but will depend on how you're looking up vlans.
For example, we used to do this:
authorize {
update control {
Tmp-String-0 := "%{sql:select vlan ...}"
}
if (control:Tmp-String-0) {
update reply {
Tunnel-Private-Group-Id = "%{control:Tmp-String-0}"
}
}
else {
# mac address is unknown - use fallback vlan
update reply {
Tunnel-Private-Group-Id = 1234
}
}
}
If you were using rlm_passwd you could do something like:
modules {
passwd macvlan {
# this file should contain: m:a:c:a:d:r,vlan
filename = ${confdir}/macvlan.txt
format = "*Calling-Station-Id:=Tunnel-Private-Group-Id"
delimiter = ","
}
}
authorize {
mac2vlan
if (notfound) {
update reply {
Tunnel-Private-Group-Id = 1234
}
}
}
...and so on.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html