________________________________ From: Alan Buxey <a.l.m.bu...@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Sun, January 31, 2010 12:16:17 PM Subject: Re: Allowing Access via 'users' when LDAP fails Hi, what switches? with Cisco you can use various fallthroughs - and you can ensure that even the non 802.1X clients are catered for.... MAB will allow you to send request to RADIUS server and then its your policy that matters.. eg eg any MAC address, returns an ACCEPT but with a VLAN attribute. the switch then puts the client on the correct, limited network.... or you can use guest-vlan or fail vlan methods on the switch too... ..are you going via the route of 'if not known, then get a network that send them to a web portal with intructions, install program etc' - or are you dealing with these people individually? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --------------------------------------------------------------------------------------------------------------------------------- Alan, I'm using Cisco 3560G switches. If a client currently doesnt send EAPOL packets to the switch, the 'guest vlan' works perfectly. However, my clients ARE dot1x capable, and DO send EAPOL packets to the switch and that makes the switchport stay unavailable for too long while the switch attempts to reauthenticate the client (takes about 65 seconds), by which time the end users client didnt get an IP address and they cannot login to the AD. I just want a port to come up immediately on a guest/restricted type VLAN, allow the client to receive an IP address via DHCP, allow them to authenticate against the AD, and then be placed into the correct vlan (and have DHCP get a new IP address natrually) The cisco guest-vlan or restricted-vlan or fallback vlan or whatever it is, works.. it just takes too dang long! My end users arent going to just sit at their desktops for two or three minutes staring at the logon window before attempting a login. Can you share with me a sample configuration of how I can accomplish this in IOS? I swear I've been toying with various configuration settings for days now. Thanks! AMARU
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html