Allowing Access via 'users' when LDAP fails
Alan Buxey
A.L.M.Buxey at lboro.ac.uk
Mon Feb 1 16:51:42 CET 2010
Hi,
> I'm using Cisco 3560G switches. If a client currently doesnt send EAPOL packets
> to the switch, the 'guest vlan' works perfectly.
>
> However, my clients ARE dot1x capable, and DO send EAPOL packets to the switch
> and that makes the switchport stay unavailable for too long while the switch attempts
> to reauthenticate the client (takes about 65 seconds), by which time the end users
> client didnt get an IP address and they cannot login to the AD.
adjust the switch timers then - the default timers will cause the effect
you have outlines...too long to fail-through
> I just want a port to come up immediately on a guest/restricted type VLAN, allow the
> client to receive an IP address via DHCP, allow them to authenticate against the AD,
> and then be placed into the correct vlan (and have DHCP get a new IP address natrually)
how will then authenticate against the AD after they are on this restricted
network? captive portal box? the supplicant wont do anything after the first stage
you might want to read this guide"
http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
this gives more info on timers/timeouts for each part.... simply reduce
a few timers like max-req and tx-period and you'll get guest-vlan fall-through
within a few seconds
alan
More information about the Freeradius-Users
mailing list