Allowing Access via 'users' when LDAP fails

Amaru Netapshaak postfix_amaru at yahoo.com
Mon Feb 1 16:40:57 CET 2010 





________________________________
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Sun, January 31, 2010 12:16:17 PM
Subject: Re: Allowing Access via 'users' when LDAP fails

Hi,

what switches? with Cisco you can use various fallthroughs - and you can
ensure that even the non 802.1X clients are catered for.... MAB will allow
you to send request to RADIUS server and then its your policy that matters..
eg

eg any MAC address, returns an ACCEPT but with a VLAN attribute. the switch then
puts the client on the correct, limited network.... or you can use guest-vlan
or fail vlan methods on the switch too... 

..are you going via the route of 'if not known, then get a network that send them
to a web portal with intructions, install program etc' - or are you dealing
with these people individually?

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

---------------------------------------------------------------------------------------------------------------------------------

Alan,

I'm using Cisco 3560G switches.  If a client currently doesnt send EAPOL packets
to the switch, the 'guest vlan' works perfectly.   

However, my clients ARE dot1x capable, and DO send EAPOL packets to the switch
and that makes the switchport stay unavailable for too long while the switch attempts
to reauthenticate the client (takes about 65 seconds), by which time the end users
client didnt get an IP address and they cannot login to the AD.

I just want a port to come up immediately on a guest/restricted type VLAN, allow the
client to receive an IP address via DHCP, allow them to authenticate against the AD,
and then be placed into the correct vlan (and have DHCP get a new IP address natrually)

The cisco guest-vlan or restricted-vlan or fallback vlan or whatever it is, works.. it just
takes too dang long!  My end users arent going to just sit at their desktops for two or three
minutes staring at the logon window before attempting a login.

Can you share with me a sample configuration of how I can accomplish this in IOS?
I swear I've been toying with various configuration settings for days now.

Thanks!

AMARU



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100201/2b6d8cae/attachment.html>

More information about the Freeradius-Users mailing list