It is really frustrating
no idea if I can use unp profile name also there but will check this.Thanks
Thomas
Automativ VLAN port assignment with MACMon
Re: Automativ VLAN port assignment with MACMon
Ok, as mentioned I‘m using Daloradius Web GUI with mariadb together with FreeRadius. Unfortunately I can create a profil for automatic vlan assignment on Web Interface but there is no attribute Filter-id, I only find Tunnel Private Group Id.
It is really frustrating
no idea if I can use unp profile name also there but will check this.
Thanks
Thomas
It is really frustrating
no idea if I can use unp profile name also there but will check this.Thanks
Thomas
Re: Automativ VLAN port assignment with MACMon
Hi guys,
finally I got it running, thanks to Silvio
It´s possible on Daloradius Web Gui for Freeradis to use a different attribute from dictionary (rfc:2865) and here you can choose Filter-ID. So far, so good but there is still one problem that drives me nuts 
I`ve got 2 DHCP ranges running on my Windows Server, VLAN DEFAULT (ID=1) with 172.28.0.100-120 and VLAN Labor (ID=37) with 172.30.37.10-20.
I`ve also created the corresponding unp profiles and mappings as well as the entries for DHCP relay.
unp profile "Labor"
unp profile "DEFAULT"
unp profile "Labor" map vlan 37
unp profile "DEFAULT" map vlan 1
unp port-template "TEMPLATE" direction both aaa-profile "AAA_1" classification ap-mode admin-state enable
unp port-template "TEMPLATE" mac-authentication
unp port 1/1/1 port-type bridge
unp port 1/1/1 port-template "TEMPLATE"
! IP DHCP RELAY:
ip dhcp relay admin-state enable
ip dhcp relay per-interface-mode
ip dhcp relay interface "VLAN1" destination 172.28.0.58
ip dhcp relay interface "VLAN1" admin-state enable
ip dhcp relay interface "Labor" destination 172.28.0.58
ip dhcp relay interface "Labor" admin-state enable
DCHCP is working correctly as when I put VLAN 37 untagged on port 1/1/2 (without unp profile), my laptop immediately receives a correct IP address from IP range 172.30.37.10-20. My problem now: When both IP address ranges (VLAN 1 and VLAN 37) are online same time and I authenticate my laptop on port 1/1/1 via mac authentication and Radius Profile "Labor" for VLAN 37 the system always gives me an IP address from VLAN 1.
DKT-N-Radius--> sh unp user
User
Port Username Mac address IP (V4/V6) Vlan Profile Type Status
--------+--------------------+-----------------+----------------------------------------+----+--------------------------------+------------+-----------
1/1/1 20:7b:d2:a3:c2:75 20:7b:d2:a3:c2:75 172.28.0.100 37 Labor Bridge Active
DKT-N-Radius--> show unp user status
Profile Authentication Restricted
Port Mac address Profile Name Source Type Status Role Name Role Source CP Kerberos Redirect Access
-------+-----------------+--------------------------------+-------+--------------+-------------+--------------------------------+-----------------+--+--------+--------+-----------
1/1/1 20:7b:d2:a3:c2:75 Labor Srv UNP Mac Authenticated - N N Y -
DKT-N-Radius--> show unp user details
Port: 1/1/1
MAC-Address: 20:7b:d2:a3:c2:75
SAP = -,
Service ID = -,
VNID = -,
VPNID = -,
ISID = -,
VPLSID = -,
Access Timestamp = 06/06/2025 18:23:49,
User Name = 20:7b:d2:a3:c2:75,
IP-Address = 172.28.0.100,
Vlan = 37,
Authentication Type = Mac,
Authentication Status = Authenticated,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = 172.28.0.112,
Authentication Server Used = Freeradius,
Server Reply-Message = -,
Profile = Labor,
Profile Source = Auth - Pass - Server UNP,
Profile From Auth Server = Labor,
Session Timeout = 0,
Classification Profile Rule = -,
Role = -,
Role Source = -,
User Role Rule = -,
Restricted Access = No,
Location Policy Status = -,
Time Policy Status = -,
QMR Status = Passed,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None,
Encap Value = -,
Rule ID = 1,
What is wrong in my configuration? When I disable IP range VLAN DEFAULT (ID=1) and re-authenticate I receive the correct address for VLAN LABOR (ID=37).
Thanks a lot and you guys have a great weekend
Thomas
finally I got it running, thanks to Silvio
It´s possible on Daloradius Web Gui for Freeradis to use a different attribute from dictionary (rfc:2865) and here you can choose Filter-ID. So far, so good but there is still one problem that drives me nuts I`ve got 2 DHCP ranges running on my Windows Server, VLAN DEFAULT (ID=1) with 172.28.0.100-120 and VLAN Labor (ID=37) with 172.30.37.10-20.
I`ve also created the corresponding unp profiles and mappings as well as the entries for DHCP relay.
unp profile "Labor"
unp profile "DEFAULT"
unp profile "Labor" map vlan 37
unp profile "DEFAULT" map vlan 1
unp port-template "TEMPLATE" direction both aaa-profile "AAA_1" classification ap-mode admin-state enable
unp port-template "TEMPLATE" mac-authentication
unp port 1/1/1 port-type bridge
unp port 1/1/1 port-template "TEMPLATE"
! IP DHCP RELAY:
ip dhcp relay admin-state enable
ip dhcp relay per-interface-mode
ip dhcp relay interface "VLAN1" destination 172.28.0.58
ip dhcp relay interface "VLAN1" admin-state enable
ip dhcp relay interface "Labor" destination 172.28.0.58
ip dhcp relay interface "Labor" admin-state enable
DCHCP is working correctly as when I put VLAN 37 untagged on port 1/1/2 (without unp profile), my laptop immediately receives a correct IP address from IP range 172.30.37.10-20. My problem now: When both IP address ranges (VLAN 1 and VLAN 37) are online same time and I authenticate my laptop on port 1/1/1 via mac authentication and Radius Profile "Labor" for VLAN 37 the system always gives me an IP address from VLAN 1.
DKT-N-Radius--> sh unp user
User
Port Username Mac address IP (V4/V6) Vlan Profile Type Status
--------+--------------------+-----------------+----------------------------------------+----+--------------------------------+------------+-----------
1/1/1 20:7b:d2:a3:c2:75 20:7b:d2:a3:c2:75 172.28.0.100 37 Labor Bridge Active
DKT-N-Radius--> show unp user status
Profile Authentication Restricted
Port Mac address Profile Name Source Type Status Role Name Role Source CP Kerberos Redirect Access
-------+-----------------+--------------------------------+-------+--------------+-------------+--------------------------------+-----------------+--+--------+--------+-----------
1/1/1 20:7b:d2:a3:c2:75 Labor Srv UNP Mac Authenticated - N N Y -
DKT-N-Radius--> show unp user details
Port: 1/1/1
MAC-Address: 20:7b:d2:a3:c2:75
SAP = -,
Service ID = -,
VNID = -,
VPNID = -,
ISID = -,
VPLSID = -,
Access Timestamp = 06/06/2025 18:23:49,
User Name = 20:7b:d2:a3:c2:75,
IP-Address = 172.28.0.100,
Vlan = 37,
Authentication Type = Mac,
Authentication Status = Authenticated,
Authentication Failure Reason = -,
Authentication Retry Count = 0,
Authentication Server IP Used = 172.28.0.112,
Authentication Server Used = Freeradius,
Server Reply-Message = -,
Profile = Labor,
Profile Source = Auth - Pass - Server UNP,
Profile From Auth Server = Labor,
Session Timeout = 0,
Classification Profile Rule = -,
Role = -,
Role Source = -,
User Role Rule = -,
Restricted Access = No,
Location Policy Status = -,
Time Policy Status = -,
QMR Status = Passed,
Redirect Url = -,
SIP Call Type = Not in a call,
SIP Media Type = None,
Applications = None,
Encap Value = -,
Rule ID = 1,
What is wrong in my configuration? When I disable IP range VLAN DEFAULT (ID=1) and re-authenticate I receive the correct address for VLAN LABOR (ID=37).
Thanks a lot and you guys have a great weekend
Thomas
Re: Automativ VLAN port assignment with MACMon
Hi,
Is there sombody available who is familiar with this DHCP problem? I‘ve checked vlan tagging etc. but everything seems
To be correctly configured.
Thanks bunches for any possible problem solution
Thomas
Is there sombody available who is familiar with this DHCP problem? I‘ve checked vlan tagging etc. but everything seems
To be correctly configured.
Thanks bunches for any possible problem solution
Thomas
Re: Automativ VLAN port assignment with MACMon
While I dont have a solution, seems like the dhcp relay request is being processed before the device is actually assigned into the correct profile.
Are you on the latest version?
Are you on the latest version?
Re: Automativ VLAN port assignment with MACMon
Hi,
I´m on version 8.10.105.R02
Thanks
Thomas
I´m on version 8.10.105.R02
Thanks
Thomas
Re: Automativ VLAN port assignment with MACMon
Check the ip interfaces:
"show ip interfaces"
You don't have any reservation for that client?
Better design is to separate clients and server in different vlan (not vlan 1 for both). I am sure that issue will not occure if you have routing between client and server.
But to see the real reason you need to sniffer the dhcp packets at the server. Compare the discovery packets of good case with them of bad case (for client in labor). If both are same you have to compare the offers.
BR Silvio
"show ip interfaces"
You don't have any reservation for that client?
Better design is to separate clients and server in different vlan (not vlan 1 for both). I am sure that issue will not occure if you have routing between client and server.
But to see the real reason you need to sniffer the dhcp packets at the server. Compare the discovery packets of good case with them of bad case (for client in labor). If both are same you have to compare the offers.
BR Silvio
Re: Automativ VLAN port assignment with MACMon
Hi Silvio,
no reservation for client.
Will go ahead with your proposal.
In the meantime, thanks for you assistance
Thomas
no reservation for client.
Will go ahead with your proposal.
In the meantime, thanks for you assistance
Thomas
Re: Automativ VLAN port assignment with MACMon
Hi guys,
after I installed the DHCP server in a private VLAN, the radius request to all my configured VLANs incl. DHCP answer works fine with
automatic assignment.
Thanks to all for your kind assistance, really appreciated
Best regards
Thomas
after I installed the DHCP server in a private VLAN, the radius request to all my configured VLANs incl. DHCP answer works fine with
automatic assignment.
Thanks to all for your kind assistance, really appreciated
Best regards
Thomas
