Freeradius 如何为经过身份验证的客户端分配 VLAN ID?

Freeradius 如何为经过身份验证的客户端分配 VLAN ID?

我正在使用 Freeradius 对 PEAP-GTC 中的用户进行身份验证,并且我希望它为身份验证器提供一个 VLAN ID,该 ID 将分配给经过身份验证的客户端的端口。

验证器已配置为将 radius 服务器接收到的 VLAN ID 分配给客户端的端口,如果不存在则创建 vlan。

在 Freeradius 服务器上,我尝试了在互联网上找到的几种方法将 VLAN ID 发送给身份验证器:

  • 在用户文件中:

    DEFAULT Auth-Type := EAP   # and also DEFAULT NAS-Port-Type == "Ethernet"
    Tunnel-Type = 13,
    Tunnel-Medium-TYpe=6,
    Tunnel-Private-Group-Id=5
    
  • 在 eap 模块文件中:

    eap {
         use_tunneled_reply = yes
         ....
    peap {
         use_tunneled_reply = yes
    
  • 在隧道内站点文件中:

    post-auth {
               ....
               update {
                       &outer.session-state.Tunnel-Type := Tunnel-Type[*]
                       &outer.session-state.Tunnel-Medium-Type := Tunnel-Medium-Type[*]
                       &outer.session-state.Tunnel-Private-Group-Id := Tunnel-Private-Group-Id[*]
                       &outer.session-state.User-Name := Use-Name[*]
                       &outer.session-state: += &rpely:
                       }
    

验证器不断为连接的用户分配默认 vlan,但 freeradius 似乎没有这样做,因此发送 vlan id。

您知道 freeradius 如何为经过身份验证的用户分配 VLAN 吗?

答案1

在现代 freeradius 3 中 -use_tunneled_reply = yes已弃用。正确的内部隧道后认证应在“sites-available/inner-tunnel”中处理。不要设置use_tunneled_reply = yes,而是取消if(0)注释post-auth {}

post-auth {
- - - - 8< - - - -
#
#  Instead of "use_tunneled_reply", change this "if (0)" to an
#  "if (1)". 
#
#if (0) {
if (1) {
  #
  #  These attributes are for the inner-tunnel only,
  #  and MUST NOT be copied to the outer reply.
  #
- - - - 8< - - - -
}

答案2

我正在使用数据库来存储用户的凭据。我需要在其中配置 freeradius 回复,而不是用户文件。

该表radusergroup将用户与组联系起来。该表radgroupreply将对发送给验证者的验证消息的响应添加到所有组成员的验证中。

这是一个你可以加载(根据需要编辑)的 SQL 文件mysql -u root -p database < vlan_file.sql

-- link a user to a group
INSERT INTO radusergroup (username,groupname) VALUES ('username', 'mygroup');

-- link a group to replies
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Type', ':=', '13');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Medium-Type', ':=', '6');
INSERT INTO radgroupreply (groupname, attribute, op, value)
VALUES ('mygroup', 'Tunnel-Private-Group-Id', ':=', 'VLAN ID');

这是我的表格:

mysql> select * from radusergroup;
+----------+-----------+----------+
| username | groupname | priority |
+----------+-----------+----------+
| test     | mygroup   |        1 |
+----------+-----------+----------+
1 row in set (0.00 sec)
mysql>
mysql> select * from radgroupreply;
+----+-----------+-------------------------+----+-------+
| id | groupname | attribute               | op | value |
+----+-----------+-------------------------+----+-------+
| 5  | mygroup   | Tunnel-Type             | := | 13    |
| 6  | mygroup   | Tunnel-Medium-Type      | := | 6     |
| 9  | mygroup   | Tunnel-Private-Group-Id | := | 5     |
+----+-----------+-------------------------+----+-------+
3 rows in set (0.00 sec)
mysql> exit
Bye

当我尝试使用该命令时radtest,我得到了 VLAN ID 的回复:

root@Debian10n2:# radtest test motdepasse 192.168.150.1 1812 passroot
Sent Access-Request Id 243 from 0.0.0.0:54448 to 192.168.150.1: 1812 length 74
User-Name = "test"
User-Password = "motdepasse"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "motdepasse"
Received Access-Accept Id 243 from 192.168.150.1:1812 to 192.168.150.30:54448 length 35
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
root@Debian10n2: #

相关内容