FreeRadius PAP authentication for Non-EAPOL clients on Avaya 5500 switch.
Adam Bishop
Adam.Bishop at jisc.ac.uk
Sun Mar 1 22:37:53 CET 2015
On 1 Mar 2015, at 20:53, jan hugo prins <jhp at jhprins.org> wrote:
> Could you tell me a solution that works where I can integrate devices
> that don't do 802.1x in an environment where all ports need 802.1x?
There isn't one. The issue with using the MAC as a credential is that the credentials for getting on to your network is *literally* stuck to the side of the device for everyone to read (and can be sniffed in seconds using a tap).
It's worse than having open ports, as you end up believing that because you have dot1x on all edge ports you have better security, and also costs you time and money to administer.
Put anything that can't do dot1x in an isolated part of the network and use something like PVLAN.
Thanks,
Adam Bishop
gpg: 0x6609D460
jisc.ac.uk
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
More information about the Freeradius-Users
mailing list