Re: VLAN-mapping by DEFAULT Entry fails

Tue, 23 May 2006 01:27:40 -0700 

 


----- Original Nachricht ----
Von:     [EMAIL PROTECTED]
An:      FreeRadius users mailing list <[email protected]>
Datum:   23.05.2006 09:46
Betreff: Re: VLAN-mapping by DEFAULT Entry fails

> Hi,
> 
> > I use a WindowsXP, EAP-Type MD5-challenge as supplicant and a Cisco
> Catalyst Switch 3750 as authenticator and i want that user hugo will be
> mapped in VLAN 50 on the switch. This works properly.
> > 
> > Every other user should be mapped in VLAN 999, my guest-vlan. I try this
> with a DEFAULT-entry, but this does not work, the switch does not accept any
> other user, in my case user nobody is unauthorized for my authenticator.
> 
> those who dont have dot1x supplicant wouldnt be able to be put onto this
> VLAN

i agree, we try to solve this problem with the new Cisco feature mac 
authentication bypass, e.g for printers without dot1x supplicant.

> though as there would be no do1x exchange...surely?
> 

Hm, but i have a dot1x supplicant and try an authentication with username and 
password, not
listet in users file. In my case user nobody, password abc. I ask myself how to 
deal with Default-entries and tell the switch the right Tunnel-Private-Group-Id.
 
I wonder why the Default-entry say in the debug-output that everthing is okay 
and accepted

-------------------------snip----------------------------------------
  rad_check_password:  Found Auth-Type Accept
  rad_check_password: Auth-Type = Accept, accepting the user
Sending Access-Accept of id 218 to 10.187.0.15 port 1645
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "999"
--------------------------snap------------------------------------------
but my switch ignore it
 
robert 

> surely using the built in guest VLAN facility of the switch itself
> is the best way to achieve this aim? 
> 
> eg in the interface configuration
> 
> dot1x guest-vlan 999
> 
> ?
> 

yes, i agree. This works fine, if there is no xsupplicant sending a dot1x answer
 
> alan
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren
ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT JETZT bei Arcor: günstig
und schnell mit DSL - das All-Inclusive-Paket für clevere Doppel-Sparer,
nur  44,85 €  inkl. DSL- und ISDN-Grundgebühr!
http://www.arcor.de/rd/emf-dsl-2

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to