I'm attempting to configure FreeRadius to work with Dynamic VLAN Assignment.
What I'm attempting to do, is return a specific VLAN ID for known hosts, but return a default VLAN ID for unknown hosts.
This is my first stab at creating a /etc/freeradius/users file, with a single valid mac address…
DEFAULT
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Fall-Through = Yes
00188bc6db33 Cleartext-Password := "00188bc6db33"
Tunnel-Private-Group-ID := 9
DEFAULT
Auth-Type = Accept,
Tunnel-Private-Group-ID = 1
If I test this using a valid mac address, it works fine and returns the VLAN ID of 9
root@wwwcache1:/etc/freeradius# radtest 00188bc6db33 00188bc6db33
127.0.0.1 0 testing123 Sending Access-Request of id 251 to 127.0.0.1 port 1812
User-Name = "00188bc6db33"
User-Password = "00188bc6db33"
NAS-IP-Address = 10.58.3.132
NAS-Port = 0 rad_recv: Access-Accept packet from host
127.0.0.1 port 1812, id=251, length=35
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "9"
…but if I use an unknown mac address, the authentication is rejected.
root@wwwcache1:/etc/freeradius# radtest 0123456789ab 0123456789ab
127.0.0.1 0 testing123 Sending Access-Request of id 13 to 127.0.0.1 port 1812
User-Name = "0123456789ab"
User-Password = "0123456789ab"
NAS-IP-Address = 10.58.3.132
NAS-Port = 0 rad_recv: Access-Reject packet from host
127.0.0.1 port 1812, id=13, length=20
What I would like to see from radtest for this is
root@wwwcache1:/etc/freeradius# radtest 0123456789ab 0123456789ab
127.0.0.1 0 testing123 Sending Access-Request of id 251 to 127.0.0.1 port 1812
User-Name = "0123456789ab"
User-Password = "0123456789ab"
NAS-IP-Address = 10.58.3.132
NAS-Port = 0 rad_recv: Access-Accept packet from host
127.0.0.1 port 1812, id=251, length=35
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
How can I force freeradius to always return a Access-Accept packet regardless of the authentication request?
Best Answer
Would it not be better to configure your switch with a "failed auth" vlan? I seriously doubt you'll ever find a way to make any authentication ALWAYS say any username/password combination is correct... without breaking a lot of things.