Allowing Access via 'users' when LDAP fails
Amaru Netapshaak
postfix_amaru at yahoo.com
Mon Feb 1 17:12:13 CET 2010
________________________________
From: Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Sent: Mon, February 1, 2010 9:51:42 AM
Subject: Re: Allowing Access via 'users' when LDAP fails
Hi,
> I'm using Cisco 3560G switches. If a client currently doesnt send EAPOL packets
> to the switch, the 'guest vlan' works perfectly.
>
> However, my clients ARE dot1x capable, and DO send EAPOL packets to the switch
> and that makes the switchport stay unavailable for too long while the switch attempts
> to reauthenticate the client (takes about 65 seconds), by which time the end users
> client didnt get an IP address and they cannot login to the AD.
adjust the switch timers then - the default timers will cause the effect
you have outlines...too long to fail-through
> I just want a port to come up immediately on a guest/restricted type VLAN, allow the
> client to receive an IP address via DHCP, allow them to authenticate against the AD,
> and then be placed into the correct vlan (and have DHCP get a new IP address natrually)
how will then authenticate against the AD after they are on this restricted
network? captive portal box? the supplicant wont do anything after the first stage
you might want to read this guide"
http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
this gives more info on timers/timeouts for each part.... simply reduce
a few timers like max-req and tx-period and you'll get guest-vlan fall-through
within a few seconds
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan,
Thanks for your quick reply! The plan was to have the guest/restricted VLAN have
permissions enough to allow the client to authenticate against my AD, and then be
assigned to the appropriate vlan, where full 'network rights' would be granted.
I will check out that document right now.. sounds perfect. Thanks!
+AMARU
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100201/4713b21d/attachment.html>
More information about the Freeradius-Users
mailing list