FreeRadius PAP authentication for Non-EAPOL clients on Avaya 5500 switch.

[Phil Mayers]

On 02/03/15 10:37, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> Put anything that can't do dot1x in an isolated part of the network and use something like PVLAN.
>
> or work in an enterprise environment and realise you cant just do things like that  ;-)

Precisely.

Real networks - like real security - are full of compromise, ideally 
based on an evaluation of cost-benefit.

Manually patching thousands of 802.1x-incapable devices to separate 
switches, and manually maintaining the VLANs on those ports, is not a 
sensible decision for most organisations.

The huge overhead this places on adds/moves/changes, the need to 
purchase and maintain infrastructure, the cognitive costs involved in 
dealing with separate infrastructure... the list goes on.

In an ideal world, we'd all be using 802.1x on the wired side, it would 
be immune from a layer2 MITM attack, and it would be using a sensible 
EAP method, which could provision and update credentials in-band.

In the real world, hardly any printers or SCADA devices do 802.1x, 
wired-side 802.1x can be trivially MITM without MACSEC, and the EAP 
method all suck.

So, people look at the situation and make the quite reasonable decision 
to just use MAC "auth" and be done with it. And you know what? It works 
pretty well for extended periods of time, and they conclude - quite 
correctly - that the additional cost of wired 802.1x provides little 
additional benefit.

It's not like we're all doing authenticated DHCP - so we're all doing 
"mac auth" in some form....