________________________________ From: Alan Buxey <a.l.m.bu...@lboro.ac.uk> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Mon, February 1, 2010 9:51:42 AM Subject: Re: Allowing Access via 'users' when LDAP fails Hi, > I'm using Cisco 3560G switches. If a client currently doesnt send EAPOL > packets > to the switch, the 'guest vlan' works perfectly. > > However, my clients ARE dot1x capable, and DO send EAPOL packets to the switch > and that makes the switchport stay unavailable for too long while the switch > attempts > to reauthenticate the client (takes about 65 seconds), by which time the end > users > client didnt get an IP address and they cannot login to the AD. adjust the switch timers then - the default timers will cause the effect you have outlines...too long to fail-through > I just want a port to come up immediately on a guest/restricted type VLAN, > allow the > client to receive an IP address via DHCP, allow them to authenticate against > the AD, > and then be placed into the correct vlan (and have DHCP get a new IP address > natrually) how will then authenticate against the AD after they are on this restricted network? captive portal box? the supplicant wont do anything after the first stage you might want to read this guide" http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf this gives more info on timers/timeouts for each part.... simply reduce a few timers like max-req and tx-period and you'll get guest-vlan fall-through within a few seconds alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Alan, Thanks for your quick reply! The plan was to have the guest/restricted VLAN have permissions enough to allow the client to authenticate against my AD, and then be assigned to the appropriate vlan, where full 'network rights' would be granted. I will check out that document right now.. sounds perfect. Thanks! +AMARU
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
