You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bug Report: Dynamic VLAN Assignment Issue with FreeRADIUS on Debian 12
Describe the bug
Dynamic VLANs are not correctly assigned to connected devices when using FreeRADIUS on Debian 12 configured with daloRADIUS and MariaDB. When setting up VLAN assignments using attributes in daloRADIUS, devices do not receive the assigned VLAN, causing either authentication issues or incorrect VLAN assignment.
The configuration was validated at the database level; when creating the setup for each user, the attributes were not saved in the 'radreply' table, which remained empty. However, when adding the attributes directly into this table, the configuration was successfully applied to clients.
I used the installation script provided in the daloRADIUS repository at this link: https://github.com/lirantal/daloradius. I applied multiple configurations, including modifying the '/etc/freeradius/3.0/sites-available/default' file, detailed in the solution section. However, I believe this change might need to be implemented elsewhere, as the configuration parameters should correctly retrieve the database information.
To Reproduce
Steps to reproduce the issue:
Set up dynamic VLANs in FreeRADIUS following the documentation using MariaDB as the backend and daloRADIUS as the frontend. In both cases, information is stored correctly in the database.
Configure groups and users in daloRADIUS, assigning VLAN parameters.
Authenticate a device against FreeRADIUS using daloRADIUS and perform tests from the server console using the 'radtest' command.
Observe that the VLAN configuration is not applied during connection.
Expected behavior
The device should authenticate correctly and receive the VLAN assigned in daloRADIUS.
Desktop (please complete the following information):
OS: Linux Debian 12
Browser: N/A
daloRADIUS Version: Latest version from the repository (include commit hash if possible)
FreeRADIUS Version: 3.0.25
Additional context
This issue impacts dynamic VLAN configuration, which is critical for network segmentation in our environment. VLAN assignment is essential for segregating traffic between different types of users and devices.
Solution
To resolve this issue, I recommend the following:
Profile Configuration and Database Table: Ensure attributes are saved in the 'radgroupcheck' table as follows:
Tunnel-Type = 13
Tunnel-Medium-Type = 6
Tunnel-Private-Group-Id = 10
For the 'radgroupreply' table, save them as:
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := '<VLAN_ID>'
FreeRADIUS Configuration Changes: Enable the following options:
read_groups = yes
read_profiles = yes
Modify '/etc/freeradius/3.0/sites-available/default' File: Update the 'post-auth' section as follows:
post-auth {
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-ID := "%{sql:SELECT value FROM radgroupreply WHERE attribute='Tunnel-Private-Group-Id' AND groupname = (SELECT groupname FROM radusergroup WHERE username = '%{User-Name}' LIMIT 1)}"
}
exec
remove_reply_message_if_eap
Post-Auth-Type REJECT {
attr_filter.access_reject
eap
remove_reply_message_if_eap
}
}
FreeRADIUS Service Restart: Restart the FreeRADIUS service to apply the VLAN configuration changes:
sudo systemctl restart freeradius
Testing with radtest: Conduct local tests using the 'radtest' tool.
Switch AP Authentication: Transitioned my devices using Unifi APs, previously authenticating with my MikroTik router, to the new server, and users were seamlessly authenticated.
Helpful communication
This issue affects dynamic VLAN assignment, so any additional suggestions to improve the integration between FreeRADIUS and daloRADIUS on Debian 12 would be helpful.
Guidance on whether additional FreeRADIUS configurations or specific dependencies for Debian 12 with MariaDB could optimize VLAN assignment is appreciated.
The text was updated successfully, but these errors were encountered:
Bug Report: Dynamic VLAN Assignment Issue with FreeRADIUS on Debian 12
Describe the bug
Dynamic VLANs are not correctly assigned to connected devices when using FreeRADIUS on Debian 12 configured with daloRADIUS and MariaDB. When setting up VLAN assignments using attributes in daloRADIUS, devices do not receive the assigned VLAN, causing either authentication issues or incorrect VLAN assignment.
The configuration was validated at the database level; when creating the setup for each user, the attributes were not saved in the 'radreply' table, which remained empty. However, when adding the attributes directly into this table, the configuration was successfully applied to clients.
I used the installation script provided in the daloRADIUS repository at this link: https://github.com/lirantal/daloradius. I applied multiple configurations, including modifying the '/etc/freeradius/3.0/sites-available/default' file, detailed in the solution section. However, I believe this change might need to be implemented elsewhere, as the configuration parameters should correctly retrieve the database information.
To Reproduce
Steps to reproduce the issue:
Expected behavior
The device should authenticate correctly and receive the VLAN assigned in daloRADIUS.
Desktop (please complete the following information):
Additional context
This issue impacts dynamic VLAN configuration, which is critical for network segmentation in our environment. VLAN assignment is essential for segregating traffic between different types of users and devices.
Solution
To resolve this issue, I recommend the following:
For the 'radgroupreply' table, save them as:
read_groups = yes
read_profiles = yes
sudo systemctl restart freeradius
Helpful communication
The text was updated successfully, but these errors were encountered: