<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Fajar A. Nugraha <fajar@fajar.net><br><b><span style="font-weight: bold;">To:</span></b> FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br><b><span style="font-weight: bold;">Sent:</span></b> Sun, January 31, 2010 7:20:15 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: Allowing Access via 'users' when LDAP fails<br></font><br>
On Thu, Jan 28, 2010 at 4:12 AM, Amaru Netapshaak<br><<a ymailto="mailto:postfix_amaru@yahoo.com" href="mailto:postfix_amaru@yahoo.com">postfix_amaru@yahoo.com</a>> wrote:<br>><br>> Hello,<br>><br>> I've got FreeRADIUS querying an OpenLDAP server successfully. Users can login and<br>> their appropriate VLAN information is returned and everythings great. Right now, if a user<br>> isnt found in the LDAP database, a reject is returned to the switch and the port goes<br>> offline. What I'd rather have,is RADIUS reply with a standard response (if the LDAP<br>> auth fails).<br>><br>> I tried to do this in the users file, by moving 'files' to below 'ldap' in sites-enabled/default<br>> and then creating a DEFAULT entry in users that returned the VLAN information I wanted,<br>> but then it didnt include other relevant info that the switch needs.<br>><br>> Am I on the right track?<br><br>What are you hoping to
achieve by trying to make freeradius returns<br>ACCEPT on all users (CMIIW)?<br><br>If you want unregistered users to be able to use a special VLAN with<br>limited access, it's probably better to configure it in switch side.<br>Cisco has 802.1X Authentication with Guest VLAN and Restricted<br>VLAN/authentication failed VLAN.<br><br>-- <br>Fajar<br><br><br>Fajar,<br><br>You are correct, and I do use dot1x now with a configured guest-vlan and restricted-vlan. <br>The problem is that the switch attempts to reauthenticate at least once before dropping the port<br>onto the restricted-vlan. That takes time. And while its happening, my clients don't get a DHCP<br>address. I need a port to come up IMMEDIATELY on the restricted-vlan, providing my clients with<br>a DHCP-assigned address, and then once they log in, their appropriate VLAN info is found in LDAP via<br>FreeRADIUS and then the switch assigns that port to the right vlan. I have
everything working, except<br>a way to bring the port up on a vlan immediately and still have it dynamically controlled via dot1x. <br><br>If I can get FreeRADIUS to return an Access-Accept and a generic VLAN attribute (with a vlan ID that<br>matches my restriced vlan), then everything should work out. I hope!<br><br>Thanks for your reply!<br><br>+AMARU<br><br><br>-<br><span>List info/subscribe/unsubscribe? See <a target="_blank" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></span><br></div></div>
<!-- cg7.c2.mail.ac4.yahoo.com compressed/chunked Sun Jan 31 06:40:39 PST 2010 -->
</div><br>
</body></html>