VLAN-mapping by DEFAULT Entry fails

robiwan at arcor.de robiwan at arcor.de
Tue May 23 10:16:22 CEST 2006 

 


----- Original Nachricht ----
Von:     A.L.M.Buxey at lboro.ac.uk
An:      FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Datum:   23.05.2006 09:46
Betreff: Re: VLAN-mapping by DEFAULT Entry fails

> Hi,
> 
> > I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco
> Catalyst Switch 3750 as authenticator and i want that user hugo will be
> mapped in VLAN 50 on the switch. This works properly.
> > 
> > Every other user should be mapped in VLAN 999, my guest-vlan. I try this
> with a DEFAULT-entry, but this does not work, the switch does not accept any
> other user, in my case user nobody is unauthorized for my authenticator.
> 
> those who dont have dot1x supplicant wouldnt be able to be put onto this
> VLAN

i agree, we try to solve this problem with the new Cisco feature mac authentication bypass, e.g for printers without dot1x supplicant.

> though as there would be no do1x exchange...surely?
> 

Hm, but i have a dot1x supplicant and try an authentication with username and password, not
listet in users file. In my case user nobody, password abc. I ask myself how to deal with Default-entries and tell the switch the right Tunnel-Private-Group-Id.
 
I wonder why the Default-entry say in the debug-output that everthing is okay and accepted

-------------------------snip----------------------------------------
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Sending Access-Accept of id 218 to 10.187.0.15 port 1645
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "999"
--------------------------snap------------------------------------------
but my switch ignore it
 
robert 

> surely using the built in guest VLAN facility of the switch itself
> is the best way to achieve this aim? 
> 
> eg in the interface configuration
> 
> dot1x guest-vlan 999
> 
> ?
> 

yes, i agree. This works fine, if there is no xsupplicant sending a dot1x answer
 
> alan
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur  44,85 €  inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2

More information about the Freeradius-Users mailing list