You could do this on IOS based APs by creating multiple SSIDs. You can have a secured SSID that connects to your protected VLAN. Then, you could have an appropriately named SSID (NEWUSERSSTARTHERE ? :-) that is unencrypted and unauthenticated. It is associated with a walled garden VLAN with some kind of web capture device so that when the user connects and opens their browser, they're redirected to your webpage with instructions on how to download the client and configure it. They then get reassociated to the secured SSID.
Other vendors do this more elegantly by providing the ability to specify a "last-resort" VLAN to which users are dumped if they fail authentication via EAP. The main difficulty is that an SSID that supports EAP is encrypted whereas you need an unencrypted SSID for a last-resort type user. So you generally end up with different SSIDs anyway. Rgds, Guy -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Josh Howlett Sent: 09 November 2005 14:39 To: FreeRadius users mailing list Subject: Re: Cisco AP Vlan assignment when proxying EAP-PEAP? Hi Jezz, > Do you have any cunning solutions to how you might get around the > reject issue? > I'd imagine it's quite a common scenario, IE wanting to let users know > that they are doing something wrong as opposed to just rejecting them. Not really. FWIW, I think that a module that caught proxied packets (such as Access-Rejects) and converted them into other packet-types (such as Access-Accepts) would be very useful. best regards, josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
