MAC based auth

Wed Nov 26 16:21:56 CET 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tnt at kalik.net wrote:
>> Do they support Mac-Based Auth + 802.1X on the same port?
>
> In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*
> 802.1x (mac address is sent as user/pass - requires registry hacking on
> XP). And then you can re-authenticate with username/pass.
>
> There is also something called mac authentication bypass for 802.1x. If
> enabled switch will do mac auth if it doesn't get EAPOL packet from the
> supplicant. So, in a matter of speaking, you can have mac auth and
> (probably should say or - the idea is to be able to connect something
> that doesn't do 802.1x, like a network printer) 802.1x on the same port.
>

Yes that's how I thought it worked. I guess that's ok in some situations
but it's really inflexible in others.

HP ProCurve switches allow you to enable both methods of authentication
together on the same port. It's a little weird how it operates, but it
seems to work very well in most situations.

When a device connects to the port the switch starts sending EAP
Identity Request packets. If the device responds with an EAP Identity
Response and successfully completes 802.1X based authentication, the
port goes into an open state with the PVID set to the VLAN assigned in
the Access-Accept packet.

If the device does not respond to the Identity request (or fails 802.1X
authentication) and starts sending non eapol frames to the port, the
switch writes the src mac of the device into the User-Name field and
sends a Access-Request packet to the RADIUS server.
If the RADIUS server responds to the Access-Request with an
Access-Accept packet and a VLAN assignment, the PVID is changed to that
VLAN. If the server responds with an Access-Reject, the port either
remains closed, or if you have an Unauth-Vid configured for Mac-Based
auth the PVID is changed to that.

If the port is in the unauth state or is authenticated via Mac-Based
authentication, the switch will continue to send EAP Identity Requests.
If at any point the device initiates 802.1X authentication and succeeds
in authenticating, the PVID of the port will change to the one assigned
in 802.1X authentication.

If the device then sends an EAPOL-Logoff packet the switch will then
attempt to re-authenticate the device using Mac-Based authentication.

Arran

- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkktXH0ACgkQcaklux5oVKJQpQCfQi6mORqjWYIJm1vP2To8AnNJ
CpAAnj9TejutfbwcxBnmETyyd2xwjIPz
=qzzN
-----END PGP SIGNATURE-----