Allowing Access via 'users' when LDAP fails

schilling schilling2006 at gmail.com
Mon Feb 1 22:23:05 CET 2010 

Between the Mac Authentication Bypass and 802.1x, how do you force the
port to reauthenticate?

Schilling

On Mon, Feb 1, 2010 at 11:12 AM, Amaru Netapshaak
<postfix_amaru at yahoo.com> wrote:
>
>
> ________________________________
> From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Sent: Mon, February 1, 2010 9:51:42 AM
> Subject: Re: Allowing Access via 'users' when LDAP fails
>
> Hi,
>
>> I'm using Cisco 3560G switches.  If a client currently doesnt send EAPOL
>> packets
>> to the switch, the 'guest vlan' works perfectly.
>>
>> However, my clients ARE dot1x capable, and DO send EAPOL packets to the
>> switch
>> and that makes the switchport stay unavailable for too long while the
>> switch attempts
>> to reauthenticate the client (takes about 65 seconds), by which time the
>> end users
>> client didnt get an IP address and they cannot login to the AD.
>
> adjust the switch timers then - the default timers will cause the effect
> you have outlines...too long to fail-through
>
>> I just want a port to come up immediately on a guest/restricted type VLAN,
>> allow the
>> client to receive an IP address via DHCP, allow them to authenticate
>> against the AD,
>> and then be placed into the correct vlan (and have DHCP get a new IP
>> address natrually)
>
> how will then authenticate against the AD after they are on this restricted
> network? captive portal box? the supplicant wont do anything after the first
> stage
>
> you might want to read this guide"
>
> http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
>
> this gives more info on timers/timeouts for each part.... simply reduce
> a few timers like max-req and tx-period and you'll get guest-vlan
> fall-through
> within a few seconds
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> Alan,
>
> Thanks for your quick reply!    The plan was to have the guest/restricted
> VLAN have
> permissions enough to allow the client to authenticate against my AD, and
> then be
> assigned to the appropriate vlan, where full 'network rights' would be
> granted.
>
> I will check out that document right now.. sounds perfect.  Thanks!
> +AMARU
>
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list