How possible is this???

Alan DeKok aland at
Thu Nov 20 16:38:44 CET 2008

Martin MacLeod-Brown wrote:
> My current thinking for our wired network is to add the MAC-addresses of
> all our desktop machines (2500 PC/laptops) into LDAP with the
> MAC-address being both the user name and password. 
> We would then try FreeRadius and MAC-Authentication - how feasible is
> this and are there any gotcha's?

  It's simple.  I would suggest the following.  Turn on MAC
authentication on the swithes, BUT configure FreeRADIUS to allow any
MAC.  Then, also make it log the MACs.

  After a week or so, add all of the MACs to the LDAP database, and
enable real MAC authentication.

> Import the Mac addresses into LDAP
> List the IP of all our edge switches in clients.conf
> Configure the shared secret
> Configure radiusd.conf to talk to the LDAP server - partially done
> Set up switches to query the radius server
> Are there any good how-to's on radius and mac-auth?

  Nope.  Just configure the username && password as the MAC address (if
that's what you see in the packet).

> We are looking to keep things as simple as possible so we can get used
> to using radius, before thinking about deploying 802.1x and I am
> desperate to avoid having to use IAS

  IAS has a lot fewer features than FreeRADIUS.

  Alan DeKok.

More information about the Freeradius-Users mailing list