MAC based auth

[tnt at kalik.net]

>Yes that's how I thought it worked. I guess that's ok in some situations
>but it's really inflexible in others.
>
>HP ProCurve switches allow you to enable both methods of authentication
>together on the same port. It's a little weird how it operates, but it
>seems to work very well in most situations.
>
>When a device connects to the port the switch starts sending EAP
>Identity Request packets. If the device responds with an EAP Identity
>Response and successfully completes 802.1X based authentication, the
>port goes into an open state with the PVID set to the VLAN assigned in
>the Access-Accept packet.
>
>If the device does not respond to the Identity request (or fails 802.1X
>authentication) and starts sending non eapol frames to the port, the
>switch writes the src mac of the device into the User-Name field and
>sends a Access-Request packet to the RADIUS server.
>If the RADIUS server responds to the Access-Request with an
>Access-Accept packet and a VLAN assignment, the PVID is changed to that
>VLAN. If the server responds with an Access-Reject, the port either
>remains closed, or if you have an Unauth-Vid configured for Mac-Based
>auth the PVID is changed to that.
>
>If the port is in the unauth state or is authenticated via Mac-Based
>authentication, the switch will continue to send EAP Identity Requests.
>If at any point the device initiates 802.1X authentication and succeeds
>in authenticating, the PVID of the port will change to the one assigned
>in 802.1X authentication.
>
>If the device then sends an EAPOL-Logoff packet the switch will then
>attempt to re-authenticate the device using Mac-Based authentication.
>

I found the flowchart for Cisco:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/122_25_see/configuration/guide/sw8021x.html#wp1170407

Main difference is that it will not attempt mac auth if 802.1x fails.

Ivan Kalik
Kalik Informatika ISP