Require NAS dependant radius return attributes
Ben Thompson wrote: The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? You could test the variable Client-IP-Address in the users file. testuser Client-IP-Address == 10.0.0.1, Password := azerty Tunnel-Private-Group-ID:1 := 1, Fall-Through = Yes testuser Client-IP-Address == 10.0.0.2, Password := azerty Tunnel-Private-Group-ID:1 := 2, Fall-Through = Yes -- Nicolas Baradakis Hi Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Thanks Ben - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
Ben Thompson [EMAIL PROTECTED] wrote: Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? Memory. Also, the CPU time required to walk it's internal representation (linked list). In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Yes. Or, if the mappings are relatively simple, you could look at rlm_passwd, which does simple mappins. It uses a hash to look up data, so it should be fast. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
On Wed, 2005-08-17 at 10:51 -0400, Alan DeKok wrote: Ben Thompson [EMAIL PROTECTED] wrote: Thanks for that advice. I can see that I could end up with a very large users file using this method. Is there any limit on the size of the users file? Memory. Also, the CPU time required to walk it's internal representation (linked list). In the near future we may have something like 80 entries in there. Is this where you would normally look to use a database backend? Yes. Or, if the mappings are relatively simple, you could look at rlm_passwd, which does simple mappins. It uses a hash to look up data, so it should be fast. Alan DeKok. Hi Thanks for the info, I will have a look at rlm_passwd. Meanwhile I have tested a setup using the huntgroups file combined with the use of mutliple DEFAULT entries in the users file like this :- huntgroups file group1 NAS-Identifier == accesspoint5 group1 NAS-Identifier == accesspoint2 group2 NAS-Identifier == switch6 group2 NAS-Identifier == switch3 etc.. users file user1 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes user2 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes DEFAULT Tunnel-Type:1 := VLAN, Tunnel-Medium-Type:1 := IEEE-802, Fall-Through = Yes DEFAULT Huntgroup-Name == group1 Tunnel-Private-Group-ID:1 := 3970, Fall-Through = Yes DEFAULT Huntgroup-Name == group2 Tunnel-Private-Group-ID:1 := 4025 This cuts the potential size of my users file down to about 2 entries and the huntgroups file to about 50 entries. Does this sound reasonable? I am currently running on a dual Xeon 2.8Ghz with 2GB of RAM which is dedicated to running FreeRADIUS. Many Thanks Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
Ben Thompson [EMAIL PROTECTED] wrote: This cuts the potential size of my users file down to about 2 entries and the huntgroups file to about 50 entries. Does this sound reasonable? Yes. But also: user2 NT-Password := 35C8397B2320E568467904961A2AF40F Fall-Through = Yes If that's all you're doing with usernames, I'd still suggest using rlm_passwd. It'll be a lot easier to manage, and faster, too. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Require NAS dependant radius return attributes
Hi I have a problem which I want to find out if I can solve using FreeRADIUS. I am setting up an 802.1x based network where I want to use RADIUS assigned VLAN's. I have succesfully tested this with Cisco wireless access point's and FreeRADIUS 1.0.1 using a users file like this :- snip test3999NT-Password := 35C8397B2320E568467904861A2AF40F Tunnel-Private-Group-ID:1 = 3999, Fall-Through = Yes test4025 NT-Password := 35C8397B2320E568467904861A2AF40F Tunnel-Private-Group-ID:1 = 4025, Fall-Through = Yes DEFAULT Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802 snip The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? Example: Let's say I have two access points called AP1 and AP2. If a user connects to AP1, I want the RADIUS server to look up from somewhere what is the correct VLAN to assign to people using AP1 and return the correct attributes to suit. If the same user connects to AP2 I want the VLAN id to be the correct one for AP2 which may be different to AP1. Any advice would be appreciated, Ben Thompson - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Require NAS dependant radius return attributes
Ben Thompson wrote: The trouble is I need to assign different VLAN's to users depending which access point they connect from. What I would like to know is if it is possible to use Huntgroups to look up the VLAN id based on something like the IP address of the access point? You could test the variable Client-IP-Address in the users file. testuser Client-IP-Address == 10.0.0.1, Password := azerty Tunnel-Private-Group-ID:1 := 1, Fall-Through = Yes testuser Client-IP-Address == 10.0.0.2, Password := azerty Tunnel-Private-Group-ID:1 := 2, Fall-Through = Yes -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html