PacketFence - BTS - PacketFence
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0001153PacketFencehardware modulespublic2011-01-17 17:182013-07-11 07:49
Reporterobilodeau 
Assigned Toobilodeau 
PrioritynormalSeveritytweakReproducibilityN/A
StatusassignedResolutionopen 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
fixed in git revision
fixed in mtn revision
Summary0001153: More flexible VLAN Attributes handling with RADIUS (support for Vendor Specific Attributes aka VSA)
DescriptionRight now VLAN assignment through RADIUS is always done using the same tunnel attributes namely:

    $RAD_REPLY{'Tunnel-Medium-Type'} = 6;
    $RAD_REPLY{'Tunnel-Type'} = 13;
    $RAD_REPLY{'Tunnel-Private-Group-ID'} = $vlan;


However, to be more flexible, it would be interesting to consider allowing the hardware module to specify it's own RADIUS attributes.

For this, a new call. Here's the pseudo-code:
getVlanAssignmentAttributes(radius_hashref, $vlan) : radius_hashref {
    $RAD_REPLY->{'Tunnel-Medium-Type'} = 6;
    $RAD_REPLY->{'Tunnel-Type'} = 13;
    $RAD_REPLY->{'Tunnel-Private-Group-ID'} = $vlan;
}

put the above default implementation in pf::SNMP and then other modules can differ. For ex:

getVlanAssignmentAttributes(radius_hashref, $vlan) : radius_hashref {
    $RAD_REPLY->{'Tunnel-Medium-Type'} = 6;
    $RAD_REPLY->{'Tunnel-Type'} = 13;
    $RAD_REPLY->{'Tunnel-Private-Group-ID'} = $vlan;
    $RAD_REPLY->{'Extreme-Netlogin-Extended-VLAN'} = T220;
}

would add a hardware-specific reply that would add a tagged VLAN 220 to the port
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2011-01-17 17:18obilodeauNew Issue
2011-01-17 17:18obilodeauStatusnew => assigned
2011-01-17 17:18obilodeauAssigned To => obilodeau
2011-03-03 15:16obilodeauTarget Version2.1.0 => +1
2011-03-03 15:18obilodeauTarget Version+1 => +2
2013-07-11 07:49roadracer96Note Added: 0003339

Notes
(0003339)
roadracer96   
2013-07-11 07:49   
Id like to bump this. I was working on writing my own poor mans NAC prior to discovering PF. The one thing I was able to do was use Extreme-Netlogin-Extended-VLAN VSA to assign tagged, untagged, or a combination of both to a port. A reply of Extreme-Netlogin-Extended-VLAN = U10;T200 would assign vlan 10 Untagged AND vlan 200 tagged. It would make implementation with Extreme switches more flexible.