Allowing Access via 'users' when LDAP fails

Fajar A. Nugraha fajar at
Sun Jan 31 14:20:15 CET 2010

On Thu, Jan 28, 2010 at 4:12 AM, Amaru Netapshaak
<postfix_amaru at> wrote:
> Hello,
> I've got FreeRADIUS querying an OpenLDAP server successfully. Users can login and
> their appropriate VLAN information is returned and everythings great.  Right now, if a user
> isnt found in the LDAP database, a reject is returned to the switch and the port goes
> offline. What I'd rather have,is RADIUS reply with a standard response (if the LDAP
> auth fails).
> I tried to do this in the users file, by moving 'files' to below 'ldap' in sites-enabled/default
> and then creating a DEFAULT entry in users that returned the VLAN information I wanted,
> but then it didnt include other relevant info that the switch needs.
> Am I on the right track?

What are you hoping to achieve by trying to make freeradius returns
ACCEPT on all users (CMIIW)?

If you want unregistered users to be able to use a special VLAN with
limited access, it's probably better to configure it in switch side.
Cisco has 802.1X Authentication with Guest VLAN and Restricted
VLAN/authentication failed VLAN.


More information about the Freeradius-Users mailing list