Allowing Access via 'users' when LDAP fails

Alan Buxey A.L.M.Buxey at
Mon Feb 1 16:51:42 CET 2010


> I'm using Cisco 3560G switches.  If a client currently doesnt send EAPOL packets
> to the switch, the 'guest vlan' works perfectly.
> However, my clients ARE dot1x capable, and DO send EAPOL packets to the switch
> and that makes the switchport stay unavailable for too long while the switch attempts
> to reauthenticate the client (takes about 65 seconds), by which time the end users
> client didnt get an IP address and they cannot login to the AD.

adjust the switch timers then - the default timers will cause the effect
you have outlines...too long to fail-through

> I just want a port to come up immediately on a guest/restricted type VLAN, allow the
> client to receive an IP address via DHCP, allow them to authenticate against the AD,
> and then be placed into the correct vlan (and have DHCP get a new IP address natrually)

how will then authenticate against the AD after they are on this restricted
network? captive portal box? the supplicant wont do anything after the first stage

you might want to read this guide"

this gives more info on timers/timeouts for each part.... simply reduce
a few timers like max-req and tx-period and you'll get guest-vlan fall-through
within a few seconds


More information about the Freeradius-Users mailing list