On 18/02/11 14:16, Dean, Barry wrote:
I have been asked to do just this and I am working on the solution
now.
We wanted to use multiple pools of VLANs/Subnets and assign "Staff"
to one pool and "Students"# to the other. Then to select a VLAN
within the pool, use a hashing function and select a VLAN.
One concern I have is when is post-auth called? Would it get called
for interim authentication requests? Because I don't want to be
changing the VLAN mid sessions, which could potentially happen with a
non-deterministic hash!
There is no such thing as an "interim" authentication request.
Post-auth is called after every auth.
I suspect you are referring to feature(s) on the switch(es) you use
where it will "re-auth" the client after X minutes. That's just another,
separate authentication as far as FreeRadius is concerned.
In my tests I have been creating a hash from the 'State' attribute
That's a very bad idea. It will change mid-session and cause you huge
problems.
We do pervasive VLAN assignment on a large scale here, and my advice is
the same as others in the thread - don't use a hash value. Just map a
user or group to a vlan.
If you need to "balance the numbers of users on a vlan" (why?) then you
should log the vlan assignments to SQL and run a post-processing script
that changes the assignment to keep the "load balanced".
Personally we just run big subnets to reduce the waste of IP space and
configuration overhead.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
