<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman,new york,times,serif;font-size:12pt"><div><br></div><div style="font-family: times new roman,new york,times,serif; font-size: 12pt;"><br><div style="font-family: arial,helvetica,sans-serif; font-size: 13px;"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Fajar A. Nugraha <fajar@fajar.net><br><b><span style="font-weight: bold;">To:</span></b> FreeRadius users mailing list <freeradius-users@lists.freeradius.org><br><b><span style="font-weight: bold;">Sent:</span></b> Sun, January 31, 2010 11:43:20 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: Allowing Access via 'users' when LDAP fails<br></font><br>
On Sun, Jan 31, 2010 at 10:16 PM, Amaru Netapshaak<br><<a ymailto="mailto:postfix_amaru@yahoo.com" href="mailto:postfix_amaru@yahoo.com">postfix_amaru@yahoo.com</a>> wrote:<br>> I need a port to come up IMMEDIATELY on the restricted-vlan,<br>> providing my clients with<br>> a DHCP-assigned address, and then once they log in, their appropriate VLAN<br>> info is found in LDAP via<br>> FreeRADIUS and then the switch assigns that port to the right vlan. I have<br>> everything working, except<br>> a way to bring the port up on a vlan immediately and still have it<br>> dynamically controlled via dot1x.<br>><br>> If I can get FreeRADIUS to return an Access-Accept and a generic VLAN<br>> attribute (with a vlan ID that<br>> matches my restriced vlan), then everything should work out. I hope!<br><br>I still think that's a bad idea :P<br>Consider scenario (1): Your user does not know that 802.1x is
needed,<br>and just plug in the cable. What would you like to happen? radius will<br>not be involved here (since there are no EAPOL from the client). At<br>this point the "correct" method to get what you want is by setting the<br>switch in a way that it will assign guest VLAN immediately.<br><br>Consider scenario (2): Your user knows that 802.1x is needed, but<br>enters non-existent/incorrect user/password. What would you like to<br>happen? If it were me, I'd prefer to let the user KNOW something was<br>wrong, in the form that he can't connect at all. That would give him<br>the option to either enter the correct user/password, or disable<br>802.1x (in which case back to scenario #1).<br><br>Anyway, if you still need "accept all", Alan's example should work.<br>Put something like this on authorize section<br><br> ldap<br> if (notfound) {<br>
update control {<br> Auth-Type = Accept<br> }<br> update reply {<br> Tunnel-Private-Group-ID = 10<br> }<br> }<br><br>that way if the user is NOT in ldap, it will simply return<br>Access-Accept with attribute Tunnel-Private-Group-ID = 10 (you can add<br>other required reply attributes there as well).<br><br>Now you'll still need to handle user with incorrect password, and I<br>haven't had the time to try it yet :P. You could probably use similar<br>setting in authenticate section.<br><br>-- <br>Fajar<br><br><br><br>Fajar,<br><br>Again, thanks for your response! <br><br>Scenario
1: this is already happening and works fine. When the switch detects <br>activity on the port but receives no EAPOL packets, it puts the port onto a guest-vlan<br>and that works great.<br><br>Scenario 2: And thats all fine with me. The user would 'know' that something was wrong<br>on my network as the AD authentication would still fail, and barring that, they'd still be<br>on a guest-vlan with almost no access to anything. Perfect!<br><br>I tried your suggestion, still returns REJECT. I'm going to tinker around with it<br>some more.. another poster is correct, the best place to solve this problem is in my<br>switch, instead of trying to break RADIUS :). I'll get there.<br><br>Thanks for all your help!<br>AMARU<br>-<br><span>List info/subscribe/unsubscribe? See <a target="_blank" href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a></span><br></div></div>
<!-- cg5.c2.mail.ac4.yahoo.com compressed/chunked Mon Feb 1 07:32:53 PST 2010 -->
</div><br>
</body></html>