I'm using FreeRadius with a Ubitquiti WiFi AP with 802.1x auth using EAP-TLS (mutual client/server cert based auth). This is working well for static VLANs (i.e. specified on the AP).
I'd like to offload the VLAN assignment to Radius so that different users can be assigned to different VLANs.
I am not sure how to do this using EAP-TLS. All docs I've found online use the users file but are using other EAP methods.
So for, I've put this at the top of my /etc/freeradius/users file:
DEFAULT Tunnel-Medium-Type = 6
Tunnel-Private-Group-ID = [12],
Tunnel-Type = VLAN
However no VLAN is assigned by Radius.
I'm not sure where to go from here. Perhaps I need something inside the tls section of /etc/freeradius/eap.conf to tell it to use the users file?
Help is appreciated, thanks!
I managed to get this sorted. The solution was that the first line should be a "Check", then the remaining lines are replied.
This worked for me: