Hi, > Hello, > > so i would like to redirect my winxp authenticated to VLAN1 and if not > authenticated , this client must be in vlan2 > > i got a switch cisco > > so how to handla this with freeradius?
read the cisco docs on dealing with 802.1X. you should never use VLAN1 for users - most would say you shouldnt use VLAN1 for anything on cisco kit - its the default native vlan. what you need to do is set the port on the switch to do 802.1X...then you can either do the following 1) set the access vlan to X, then se the fail VLAN to Y and the guest VLAN to Y or (my preferred way) 2) set the switch to use RADIUS return attributes for VLAN (and for session time etc) and set the fail VLAN and guest VLAN to Y where X is the access vlan for auth and Y is the chosen fail vlan why do method 2? well, its then easy/quick to change the VLAN returned to the switch no matter where on campus/site/infrastructure - its all done via decisions made on the radius server. the return attributeS? 'Tunnel-Medium-Type'} = "IEEE-802" 'Tunnel-Type' = "VLAN" 'Tunnel-Private-Group-Id' = "666" 'Session-Timeout' = "28800" 'Termination-Action' = "RADIUS-Request" that would set the VLAN to be 666 with an 8 hour timeout. these can be set via users file, SQL, perl, python etc. we use a PERL script in the post-auth section alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
