Re: Allowing Access via 'users' when LDAP fails

Sun, 31 Jan 2010 07:19:27 -0800 




________________________________
From: Fajar A. Nugraha <fa...@fajar.net>
To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Sent: Sun, January 31, 2010 7:20:15 AM
Subject: Re: Allowing Access via 'users' when LDAP fails

On Thu, Jan 28, 2010 at 4:12 AM, Amaru Netapshaak
<postfix_am...@yahoo.com> wrote:
>
> Hello,
>
> I've got FreeRADIUS querying an OpenLDAP server successfully. Users can login 
> and
> their appropriate VLAN information is returned and everythings great.  Right 
> now, if a user
> isnt found in the LDAP database, a reject is returned to the switch and the 
> port goes
> offline. What I'd rather have,is RADIUS reply with a standard response (if 
> the LDAP
> auth fails).
>
> I tried to do this in the users file, by moving 'files' to below 'ldap' in 
> sites-enabled/default
> and then creating a DEFAULT entry in users that returned the VLAN information 
> I wanted,
> but then it didnt include other relevant info that the switch needs.
>
> Am I on the right track?

What are you hoping to achieve by trying to make freeradius returns
ACCEPT on all users (CMIIW)?

If you want unregistered users to be able to use a special VLAN with
limited access, it's probably better to configure it in switch side.
Cisco has 802.1X Authentication with Guest VLAN and Restricted
VLAN/authentication failed VLAN.

-- 
Fajar


Fajar,

You are correct, and I do use dot1x now with a configured guest-vlan and 
restricted-vlan. 
The problem is that the switch attempts to reauthenticate at least once before 
dropping the port
onto the restricted-vlan. That takes time.  And while its happening, my clients 
don't get a DHCP
address.  I need a port to come up IMMEDIATELY on the restricted-vlan, 
providing my clients with
a DHCP-assigned address, and then once they log in, their appropriate VLAN info 
is found in LDAP via
FreeRADIUS and then the switch assigns that port to the right vlan.  I have 
everything working, except
a way to bring the port up on a vlan immediately and still have it dynamically 
controlled via dot1x. 

If I can get FreeRADIUS to return an Access-Accept and a generic VLAN attribute 
(with a vlan ID that
matches my restriced vlan), then  everything should work out.  I hope!

Thanks for your reply!

+AMARU


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



      
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to