________________________________ From: Fajar A. Nugraha <fa...@fajar.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Sun, January 31, 2010 7:20:15 AM Subject: Re: Allowing Access via 'users' when LDAP fails On Thu, Jan 28, 2010 at 4:12 AM, Amaru Netapshaak <postfix_am...@yahoo.com> wrote: > > Hello, > > I've got FreeRADIUS querying an OpenLDAP server successfully. Users can login > and > their appropriate VLAN information is returned and everythings great. Right > now, if a user > isnt found in the LDAP database, a reject is returned to the switch and the > port goes > offline. What I'd rather have,is RADIUS reply with a standard response (if > the LDAP > auth fails). > > I tried to do this in the users file, by moving 'files' to below 'ldap' in > sites-enabled/default > and then creating a DEFAULT entry in users that returned the VLAN information > I wanted, > but then it didnt include other relevant info that the switch needs. > > Am I on the right track? What are you hoping to achieve by trying to make freeradius returns ACCEPT on all users (CMIIW)? If you want unregistered users to be able to use a special VLAN with limited access, it's probably better to configure it in switch side. Cisco has 802.1X Authentication with Guest VLAN and Restricted VLAN/authentication failed VLAN. -- Fajar Fajar, You are correct, and I do use dot1x now with a configured guest-vlan and restricted-vlan. The problem is that the switch attempts to reauthenticate at least once before dropping the port onto the restricted-vlan. That takes time. And while its happening, my clients don't get a DHCP address. I need a port to come up IMMEDIATELY on the restricted-vlan, providing my clients with a DHCP-assigned address, and then once they log in, their appropriate VLAN info is found in LDAP via FreeRADIUS and then the switch assigns that port to the right vlan. I have everything working, except a way to bring the port up on a vlan immediately and still have it dynamically controlled via dot1x. If I can get FreeRADIUS to return an Access-Accept and a generic VLAN attribute (with a vlan ID that matches my restriced vlan), then everything should work out. I hope! Thanks for your reply! +AMARU - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html