MAC Authentication with FreeRadius
A.L.M.Buxey at lboro.ac.uk
A.L.M.Buxey at lboro.ac.uk
Fri Feb 22 13:53:46 CET 2013
Hi,
> Yes, of course I'll have to use a Radius server, and many forums say that
> if you put the Mac address in both username and password, it will
> authenticate if - in the switch - you use Mab... And that's exactly what I
> tried to do, but it did not authenticate... Am I doing sth wrong?
you need to check the format that the requests come through as, basically
you need to just ACCEPT on that user-name
> So correct me if i'm wrong : I'll have to uncomment the mac2vlan on vmps
> file, add MAC-ADD,VLAN-NAME to mac2vlan, change the listening port to 1598
> and the auth type to vmps on radiusd.conf, and that's that?
> It's just that... I don't exactly see how dynamic vlan assignment works if
> you only use a flat list, vmps only shows how to query the DB..
you dont need to change any listener etc in radiusd.conf - there is a VMPS
virtual-server you need to activate. THAT has the listening port.
if you want to use eg dynamic VLAN assignments then you need to do the cleve stuff
in the database. in the same vmps virtual server you will see an 'example' in the
update reply{} section - commented out by default
#VMPS-VLAN-Name = "%{sql:select ... where mac='%{VMPS-Mac}'}"
so, if a MAC has been banned, you ensure its eg 'vlan' value is changed in your DB
so the query will return.
we dont use this method, instead we call a PERL module which has all of our logic/checks/bans
etc in it - this was originally migrated from openvmpsd (which was a good system but not multi-threaded
and couldnt handle eg simultaneous queries from 48 port switches... VMPS is dumb it just
updates ALL ports unlike MAB/802.1X which are on seperate timers). when FR supported
VMPS I got very excited...and we migrated overnight
alan
More information about the Freeradius-Users
mailing list