Can FreeRADIUS be used for dynamic VLAN assignment based on a certificate attribute in EAP-TLS?

Question

I would like to use FreeRADIUS to dynamically assign VLAN tags using the Tunnel Private Group ID field.

I would like to do this via EAP-TLS and have the freeRADIUS server assign the VLAN id based on a given certificate attribute i.e the name value in the subject field.

Is this possible?

I have looked at freeRADIUS dynamic VLAN assignment but cannot see where this could be done , I have seen others create users and have the VLAN id based on the user, but I would like to base it on the EAP-TLS device certificate.

score 1 · Answer 1 · answered Oct 01 '19 at 10:50

yes it is possible. In sites-enabled/default edit post_auth section after

`
update {
    &reply: += &session-state:
}

enter

if (TLS-Client-Cert-Subject == "/C=IT/ST=Rome/L=Rome/O=Freeradius/OU=Fr/CN=comman-name/emailAddress="){
update reply { 
    &Tunnel-Type = 13, 
    &Tunnel-Medium-Type = 6,
    #VLAN number (104) o vlan name 
    &Tunnel-Private-Group-Id = "104"
}
}

`

score 0 · Answer 2 · answered May 27 '21 at 01:35

0

include a colon to make it work:

&Tunnel-Type := 13,

answered May 27 '21 at 01:35

tfb

1

Can FreeRADIUS be used for dynamic VLAN assignment based on a certificate attribute in EAP-TLS?

2 Answers2

enter