Having to manage a network where computers are attached to different vlans can be a bit of a nightmare.
Usually a switch port will be untagged with the vlan id of the computer. As computers move around and plug to other ports, you’ll need to configure the specific vlan (pvid) on the port. Hence, as you can imagine having to login to the switch and change ports gets annoying, especially if you have more than 2 vlans and more than 50 computers to manage.
Welcome FreeRADIUS! FreeRadius is an open source radius server that’s been around forever (http://freeradius.org/)
Among many other things FreeRADIUS can configure a switch on the fly. In my specific case, I configured the switch to do MAC-Authentication against FreeRADIUS. FreeRADIUS, in turn, will configure the port vlan on the switch based on the client’s (computer) unique MAC address.
Pretty cool, eh?
Here’s the actual configuration on the switch
radius-server host 192.168.1.253 auth-port 1812 acct-port 1813 default key 1 $on-o=g"Z|8
mac-authentication enable
FreeRADIUS (Ubuntu)
You should just need to adjust one file for this to work (/etc/freeradius/users)
abababababab Cleartext-Password := abababababab
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = “VLAN-NAME-ON-SWITCH”
Note: ababababab is the mac address of the computer connecting to the switch.
After this the switch’s port should get auto-configured based on the connecting client.
Start freeRADIUS and enjoy. (start it in debug mode to ensure nothing goes wrong)
/usr/sbin/freeradius -X
|
anonymous
May 29,2012
|
is your script billable? |