Question

Freeradius Dynamic Vlan Assignment

Asked by: Chug

Hi,

I have two sets of users Staff and Students. I want to dynamically assign different vlans to these users on our wired network with cisco switches. I've two radius servers. They are able to auth sets of users. Here is the line in the users file ...This all one the same line.

DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Student, Auth-Type := Wireless_Students, Autz-Type := Wireless_Staff, Auth-Type := Wireless_Staff, Freeradius-Proxied-To == 127.0.0.1

The problem I'm have is..how do I assign both Staff and Student on different vlans.. Is the users file able to do this?
I can assign one group(students) a vlan but not both. Without a SSID, I can direct traffic to one radius severs for student logins and the other for Staff logins.


This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-18 at 07:39:16ID24661553
Tags

Freeradius

Topic

Linux Networking

Participating Experts
1
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. SSID,VLAN question
    Hi experts! We are close to buy a cisco 526 lan controller at one of our offices. We have a ASA5505 ( sec + bundle ) at that office. I want to have 2 different SSIDs and i will use 2 APs. I understand that i must have one vlan/SSID. I am gonna connect the WLC and the APs di...
  2. Cisco Aironet 1252AG - multiple SSIDs to same VLAN …
    Hi Experts, We currently have two cheap access points we're trying to consolidate with one Aironet 1252AG. One AP is for our laptop users which authenticates to a Microsoft Radius Server. The other AP is used for our copiers and printers which we're using wireless network ad...
  3. Multiple SSID with VLANs
    Hey guys. I'm pretty new to the concept of VLANs and no matter how much I read, I can't quite grasp it. I have a small problem where I would like to configure a VLAN for best practise and security etc but I'm not sure where to start. I have a busy network with 300+ clients...
  4. Dynamic Vlans on Cisco Access point?
    Hi, i am right now in the middle of reconfiguring our access points. I configures the Aps for Peap authentication via Radius Server. Everything works fine as long as i only have one Vlan. I would like to dynamically assign Vlans based on the Radius response. I configured th...
  5. Cisco VLANs
    Hello, I have a network here, that i did not do the configuration of, that has a Cisco 3550 as its core switch. On this switch are 6 VLANs VLAN 5 is the infrastructure VLAN and VLAN4 is for guest wireless. VLAN 5 has an IP address of 10.5.255.254 255.255.0.0 VLAN4 has an IP ...
  6. Cisco 541N with multiple VLAN SSID's.
    I am setting up a Cisco 541N wireless access point. I have the primary (VLAN 1) SSID up and working with no problems whatsoever. However, I would like to setup a second VLAN/SSID for guests to use. This would be setup with a different security scheme. For example, the pri...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: nociPosted on 2009-08-18 at 14:29:17ID: 25127866

Then there is too much in one rule...

Match for Staff if matched assign a staff VLAN and other settings

Match for students if matched assign a student VLAN and other settings.

Maybe the lat one doesn't need a match and can be the default vlan

 

by: ChugPosted on 2009-08-19 at 07:26:13ID: 25133007

Hi,

Could you provide a sample configuration?

Thanks

 

by: nociPosted on 2009-08-19 at 09:45:45ID: 25134702

First What is the authorization section from radiusd.conf -- needed for the correct Autz-type & auth-types.
see also in
http://www.ibr.cs.tu-bs.de/cgi-bin/dwww?type=file&location=/usr/share/doc/freeradius/Autz-Type

Assuming you have a correct athorisation & athentication section....
My guess is you still need to differentia on staff & students somehow...  f.e. john@staff is member of staff & mike or mike@student is a student, plain john would also be a student:

DEFAULT Huntgroup-Name == 1X, realm=="staff", Freeradius-Proxied-To == 127.0.0.1
    Tunnel-Type:=VLAN
    Tunnel-Medium-Type=IEEE-802
    Tunnel-Private-Group-ID=STAFF_VLAN_ID
    Autz-type =Wireless_staff
    auth-type = Wireless_staff

DEFAULT Huntgroup-Name == 1X, Realm!="staff", Freeradius-Proxied-To == 127.0.0.1
    Tunnel-Type:=VLAN
    Tunnel-Medium-Type=IEEE-802
    Tunnel-Private-Group-ID=STAFF_VLAN_ID
    Autz-type =Wireless_student
    auth-type = Wireless_student
   

# Then next line assumes that anybody that is proxied from localhost, in huntgroup 1X  are staff....., your rule did the same. if authz & auth type were set before you can check on them (if the previous ones were fall through rules)

DEFAULT Huntgroup-Name == 1X, Autz-Type == Wireless_Staff, Auth-Type == Wireless_Staff , Freeradius-Proxied-To == 127.0.0.1
    Tunnel-Type:=VLAN
    Tunnel-Medium-Type=IEEE-802
    Tunnel-Private-Group-ID=STAFF_VLAN_ID

DEFAULT Huntgroup-Name == 1X, Autz-Type == Wireless_Student, Auth-Type == Wireless_Students, Freeradius-Proxied-To == 127.0.0.1
    Tunnel-Type=VLAN
    Tunnel-Medium-Type=IEEE-802
    Tunnel-Private-Group-ID=STUDENT_VLAN_ID



 

by: nociPosted on 2009-08-19 at 09:46:17ID: 25134709

BTW, the basic question is what is the difference between an incoming student or an incoming staff member.

 

by: ChugPosted on 2009-08-19 at 13:37:49ID: 25137066

Hi,

With this configuration in the users file.. It will allow both Staff and Student to Auth, but Staff gets the Student vlan assign to it.
I'm not sure why



DEFAULT Huntgroup-Name == 1X, Autz-Type == Wireless_Staff, Auth-Type == Wireless_Staff, Freeradius-Proxied-To == 127.0.0.1
        Tunnel-Type := VLAN,
        Tunnel-Medium-Type := IEEE-802,
        Tunnel-Private-Group-Id := Berklee-Staff,
      Fall-Through = yes
DEFAULT Autz-Type == Wireless_Student, Auth-Type == Wireless_Students, Freeradius-Proxied-To == 127.0.0.1
        Tunnel-Type := VLAN,
        Tunnel-Medium-Type := IEEE-802,
        Tunnel-Private-Group-Id := Berklee-Student,

 

by: nociPosted on 2009-08-19 at 15:07:21ID: 25137859

You probably dont want to fall through after staff. Then entry should be final....
If it doesn't match staff next entry will go; if it matches staff all info if known and it's done.

and == is a match check, Autz-type & Auth-type are never in a request by an entry system, they are freeradius  specific and internal.

 

by: nociPosted on 2009-08-19 at 15:09:54ID: 25137875

Also a blank line is required after a section.

 

by: ChugPosted on 2009-08-19 at 15:47:02ID: 25138095

If I don't go with fall-through after staff how will the students be able to auth. When students login in I need radius to know there is another auth type. The students auth will fail on Staff but be successful on Student. How would I get radius to know there are two auth types without fall-through?

Many thanks

 

by: nociPosted on 2009-08-19 at 16:09:02ID: 25138201

that was my question HOW DO YOU KNOWN what is computer is from a student.
in terms of MAC address, certificates, .... anything that can become included in a
radiusd request line...., autz-type and auth-type is a means of later processing the pasword check on some individual user.....

Maybe you need to setup up entirely different... At some place a system is in a database,
based on the check items you determin that it is a staff member then cyou immediately assign it a vlan on the spot.  The DEFAULT entries are meant to scrape up a lot of info that is generic...
f.e. anybody coming from radius frontend X should use authorization mechanism Y and and database Z  ->
DEFAULT Proxy-from==x.x.x.x, autz-type:=Y, auth-type:=Z

As the  autz-type * auth-type are no match but more or less hidden assignment, the difference is that it now is part of the request and not the response... writing this down the earlier rules should have been: (with := not ==)

DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Staff, Auth-Type := Wireless_Staff , Freeradius-Proxied-To == 127.0.0.1
    Tunnel-Type:=VLAN
    Tunnel-Medium-Type=IEEE-802
    Tunnel-Private-Group-ID=STAFF_VLAN_ID

DEFAULT Huntgroup-Name == 1X, Autz-Type := Wireless_Student, Auth-Type := Wireless_Students, Freeradius-Proxied-To == 127.0.0.1
    Tunnel-Type=VLAN
    Tunnel-Medium-Type=IEEE-802
    Tunnel-Private-Group-ID=STUDENT_VLAN_ID



 

by: ChugPosted on 2009-09-01 at 09:34:14ID: 25233291

Thanks for the info

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...