In advanced access configuration make a radius filter that meets your needs.Your switch doesn't have to support RFC 4675, 3580 works if only one device is being plugged in.4675 is needed for like phones with passthrough ports. For example: #filter by digium VoIP device ID [digium_by_ID] ----------< This is a variable. Call it what you want. filter = fingerbank_info.device_hierarchy_ids ------< the filters are somewhat documented in the default radius engine policy comments. In my case, I wanted to filter using device profiling. operator = includes value = 16484
# I also wanted to be pretty sure it was that type of device. [digium_minimum_score] filter = fingerbank_info.score operator = greater_equals value = 50 #This rule will return the VLAN ID id 1000 in the radius response. [1:digium_by_ID] scope = returnRadiusAccessAccept merge_answer = no answer1 = Tunnel-Medium-Type => 6 answer2 = Tunnel-Type => 13 answer3 = HP-Egress-VLANID => 999999999 #this is the important line. Since im using aruba switches i returned the aruba specific one. But you can also return just Egress-VLANID. On Mon, Nov 18, 2019 at 11:41 AM Sajawal Ghani <[email protected]> wrote: > I couldn't understand. how shall I use is EGRESS-VLANID is a filter? could > you please provide a short example? it would really help me. thanks. > > Regards, > Sajawal Ghani > Network Engineer > _________________________________ > > iternas GmbH > Niederlassung Stuttgart > Mobil: +49 172 894 52 77 > Hauptsitz: > > iternas GmbH > > Pappelallee 78/79 > > 10437 Berlin > > Tel: +49 30 609 800 24-0 > > E-Mail: [email protected] > Web: http://www.iternas.com > > Amtsgericht Berlin (Charlottenburg), HRB 204123 B > Geschäftsführer: Morris Görke > > > On Mon, 18 Nov 2019 at 20:10, Zacharry Williams <[email protected]> > wrote: > >> It's totally possible to change the tagged vlan. Just write a radius >> filter and use EGRESS-VLANID >> >> On Mon, Nov 18, 2019, 11:05 AM Sajawal Ghani via PacketFence-users < >> [email protected]> wrote: >> >>> Thanks for your reply. >>> >>> The problem is, I can assign role 'reject' only after the radius has >>> sent an access-accept response. My end device sends tagged packets and as >>> soon as radius response is accept the device goes into forwarding mode >>> regardless that the radius server assigns a registration VLAN or 'reject >>> role'. Since the VLAN is tagged it is not possible to influence it. >>> Therefore, I wanted to ask if there is a way that the radius server can >>> send response reject at the first place so the port doesn't allow any >>> device to go into forwarding mode. >>> Regards, >>> Sajawal Ghani >>> Network Engineer >>> _________________________________ >>> >>> iternas GmbH >>> Niederlassung Stuttgart >>> Mobil: +49 172 894 52 77 >>> Hauptsitz: >>> >>> iternas GmbH >>> >>> Pappelallee 78/79 >>> >>> 10437 Berlin >>> >>> Tel: +49 30 609 800 24-0 >>> >>> E-Mail: [email protected] >>> Web: http://www.iternas.com >>> >>> Amtsgericht Berlin (Charlottenburg), HRB 204123 B >>> Geschäftsführer: Morris Görke >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
