FreeRadius PAP authentication for Non-EAPOL clients on Avaya 5500 switch.
p.mayers at imperial.ac.uk
Mon Mar 2 14:14:56 CET 2015
On 02/03/15 10:37, A.L.M.Buxey at lboro.ac.uk wrote:
>> Put anything that can't do dot1x in an isolated part of the network and use something like PVLAN.
> or work in an enterprise environment and realise you cant just do things like that ;-)
Real networks - like real security - are full of compromise, ideally
based on an evaluation of cost-benefit.
Manually patching thousands of 802.1x-incapable devices to separate
switches, and manually maintaining the VLANs on those ports, is not a
sensible decision for most organisations.
The huge overhead this places on adds/moves/changes, the need to
purchase and maintain infrastructure, the cognitive costs involved in
dealing with separate infrastructure... the list goes on.
In an ideal world, we'd all be using 802.1x on the wired side, it would
be immune from a layer2 MITM attack, and it would be using a sensible
EAP method, which could provision and update credentials in-band.
In the real world, hardly any printers or SCADA devices do 802.1x,
wired-side 802.1x can be trivially MITM without MACSEC, and the EAP
method all suck.
So, people look at the situation and make the quite reasonable decision
to just use MAC "auth" and be done with it. And you know what? It works
pretty well for extended periods of time, and they conclude - quite
correctly - that the additional cost of wired 802.1x provides little
It's not like we're all doing authenticated DHCP - so we're all doing
"mac auth" in some form....
More information about the Freeradius-Users