On Fri, Feb 18, 2011 at 03:02:49PM +0000, Dean, Barry wrote: > > On 18 Feb 2011, at 14:26, Phil Mayers wrote: > > > On 18/02/11 14:16, Dean, Barry wrote: > >> I have been asked to do just this and I am working on the solution > >> now. > >> > >> We wanted to use multiple pools of VLANs/Subnets and assign "Staff" > >> to one pool and "Students"# to the other. Then to select a VLAN > >> within the pool, use a hashing function and select a VLAN. > >> > >> One concern I have is when is post-auth called? Would it get called > >> for interim authentication requests? Because I don't want to be > >> changing the VLAN mid sessions, which could potentially happen with a > >> non-deterministic hash! > > > > There is no such thing as an "interim" authentication request. > > > > Post-auth is called after every auth. > > > > I suspect you are referring to feature(s) on the switch(es) you use > > where it will "re-auth" the client after X minutes. That's just another, > > separate authentication as far as FreeRadius is concerned > > Yep, I was referring to the entries I see in my logs for > "Interim-Update", which is of course an Accounting record, and I had always > assumed this went with an Auth as well, but have never looked in detail to > see! So I am most likely talking rubbish! > > >> > >> In my tests I have been creating a hash from the 'State' attribute > > > > That's a very bad idea. It will change mid-session and cause you huge > > problems. > > > > I will not be using this then :-) > > > We do pervasive VLAN assignment on a large scale here, and my advice is > > the same as others in the thread - don't use a hash value. Just map a > > user or group to a vlan. > > > > If you need to "balance the numbers of users on a vlan" (why?) then you > > should log the vlan assignments to SQL and run a post-processing script > > that changes the assignment to keep the "load balanced". > > > > Personally we just run big subnets to reduce the waste of IP space and > > configuration overhead. > > > > I don't design the wireless network here, I just make the RADIUS work as best > I can. It has been decided to have smaller private IP ranges each associated > with a VLAN and balance the routing of these across two routers. Then I was > asked if I can distribute the users across these VLANS evenly. >
This was the initial request from our network group as well. > I am beginning to think a round robin allocation might just do! > That is what they asked for, but the key is to provide a persistent VLAN allocation for the length of the client's connection to the network. You can either cache the current VLAN assignment from a pure round-robin allocation which requires managing the information, expiring it as needed and other sorts of maintenance activities. In the end, using the hash of a static client parameter such as User-Name or MAC address gives you an even distribution without the maintenance headaches. Cheers, Ken > However, the goal posts could move again yet! Latest news is that we will > have 1 pool of VLANs, so time to tear up the existing code and take a fresh > look! I currently have no idea how big these subnets will be either. > > ---------------------- > Barry Dean > Principal Programmer/Analyst > Networks Group > Computing Services Department > Tel: 0151 795 9540 > Skype: barryvdean > Content-Description: ATT00001.txt > > > --- > Nice boy, but about as sharp as a sack of wet mice. > -- Foghorn Leghorn > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html