Between the Mac Authentication Bypass and 802.1x, how do you force the port to reauthenticate?
Schilling On Mon, Feb 1, 2010 at 11:12 AM, Amaru Netapshaak <postfix_am...@yahoo.com> wrote: > > > ________________________________ > From: Alan Buxey <a.l.m.bu...@lboro.ac.uk> > To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> > Sent: Mon, February 1, 2010 9:51:42 AM > Subject: Re: Allowing Access via 'users' when LDAP fails > > Hi, > >> I'm using Cisco 3560G switches. If a client currently doesnt send EAPOL >> packets >> to the switch, the 'guest vlan' works perfectly. >> >> However, my clients ARE dot1x capable, and DO send EAPOL packets to the >> switch >> and that makes the switchport stay unavailable for too long while the >> switch attempts >> to reauthenticate the client (takes about 65 seconds), by which time the >> end users >> client didnt get an IP address and they cannot login to the AD. > > adjust the switch timers then - the default timers will cause the effect > you have outlines...too long to fail-through > >> I just want a port to come up immediately on a guest/restricted type VLAN, >> allow the >> client to receive an IP address via DHCP, allow them to authenticate >> against the AD, >> and then be placed into the correct vlan (and have DHCP get a new IP >> address natrually) > > how will then authenticate against the AD after they are on this restricted > network? captive portal box? the supplicant wont do anything after the first > stage > > you might want to read this guide" > > http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf > > this gives more info on timers/timeouts for each part.... simply reduce > a few timers like max-req and tx-period and you'll get guest-vlan > fall-through > within a few seconds > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > Alan, > > Thanks for your quick reply! The plan was to have the guest/restricted > VLAN have > permissions enough to allow the client to authenticate against my AD, and > then be > assigned to the appropriate vlan, where full 'network rights' would be > granted. > > I will check out that document right now.. sounds perfect. Thanks! > +AMARU > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html