Allowing Access via 'users' when LDAP fails

Amaru Netapshaak postfix_amaru at
Mon Feb 1 17:12:13 CET 2010

From: Alan Buxey <A.L.M.Buxey at>
To: FreeRadius users mailing list <freeradius-users at>
Sent: Mon, February 1, 2010 9:51:42 AM
Subject: Re: Allowing Access via 'users' when LDAP fails


> I'm using Cisco 3560G switches.  If a client currently doesnt send EAPOL packets
> to the switch, the 'guest vlan' works perfectly.
> However, my clients ARE dot1x capable, and DO send EAPOL packets to the switch
> and that makes the switchport stay unavailable for too long while the switch attempts
> to reauthenticate the client (takes about 65 seconds), by which time the end users
> client didnt get an IP address and they cannot login to the AD.

adjust the switch timers then - the default timers will cause the effect
you have outlines...too long to fail-through

> I just want a port to come up immediately on a guest/restricted type VLAN, allow the
> client to receive an IP address via DHCP, allow them to authenticate against the AD,
> and then be placed into the correct vlan (and have DHCP get a new IP address natrually)

how will then authenticate against the AD after they are on this restricted
network? captive portal box? the supplicant wont do anything after the first stage

you might want to read this guide"

this gives more info on timers/timeouts for each part.... simply reduce
a few timers like max-req and tx-period and you'll get guest-vlan fall-through
within a few seconds

List info/subscribe/unsubscribe? See


Thanks for your quick reply!    The plan was to have the guest/restricted VLAN have
permissions enough to allow the client to authenticate against my AD, and then be 
assigned to the appropriate vlan, where full 'network rights' would be granted.

I will check out that document right now.. sounds perfect.  Thanks!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Freeradius-Users mailing list