> And finally, can you say that when a dumb users plugs in the wrong VLAN, > like a admin VLAN, I cannot deny him or put him automatically in the > right VLAN with radius? >
If he can plug into a switch and get access to admin VLAN it's network admin that is dumb, not the user. If your switch supports dynamic VLAN assignment via radius and you are using port authentication it shouldn't be possible (if your switch doesn't support this - this talk is pointless). 1. Why is default VLAN (1) enabled on your ports? You are just asking foir trouble doing that. 2. User can't just "plug into the admin VLAN". If admin unplugs, even without logging off, switch should terminate the session and return the port to default state. 3. If your switch supports dynamic VLAN assignment via radius it should respect VLAN info sent in Access-Accept. If your user ends up in a different VLAN you have set your switch wrongly. In many cases you can't send arbitrary VLAN id - it has to be defined on the switch already. You should consult your switch documentation about proper VLAN setup. It seems that you don't understand how switch and port based authentication works. There is no point in checking VLAN info in the request. Just send VLAN info in the reply - it will (if hardware is set up properly) override it. Ivan Kalik Kalik Inf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
