We did mac-based authentication on our campus resnet with about 5000 unique MAC addresses. We have dominantly foundry, and some cisco 3550s. Foundry switches work very good. Their dot1x feature sets are very good, they called multi-device port authentication. <br>
<br><br>Cisco 3550 is ok, at lease we get the MAB working as we architected. You have to disable 802.1x in order to do MAB. There are some catches though. <br><br>Sample cisco switch configuration<br><br>aaa new-model<br>
<br>aaa authentication dot1x default group radius<br>aaa authorization network default group radius local<br>dot1x system-auth-control<br><br>interface FastEthernet0/3<br> description MAC-AuthC<br> switchport access vlan 552<br>
switchport mode access<br> dot1x mac-auth-bypass<br> dot1x critical<br> dot1x pae authenticator<br> dot1x port-control auto<br> dot1x host-mode multi-host<br> dot1x timeout tx-period 1<br> dot1x max-reauth-req 1<br> spanning-tree portfast<br>
spanning-tree bpduguard enable<br><br><br>radius vlan instruction policy settings<br> $RAD_REPLY{'Service-Type'} = "Framed-User";<br> $RAD_REPLY{'Tunnel-Type'} = "VLAN";<br>
$RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802";<br> $RAD_REPLY{'Tunnel-Private-Group-Id'} = "YourVLANName";<br><br><br><br><br><br>There is one special troubleshooting guide for MAC address authentication, please make sure student computer does not have 802.1x authentication enabled on Ethernet network connection when student call and say the network report no or limited network connection. We found out that Windows XP and Windows Vista 802.1x authentication is not enabled by default, but we just want to double check to make sure the 802.1x authentication is disabled on Ethernet connection.<br>
<br>How to check the 802.1x authentication is off?<br>In windows XP, Start, Settings, Network Connections, right click Local Area Connection, select Properties, If you does not see an Authentication tab, 802.1x is not available thus not enabled. If the Authentication tab is available, please make sure "Enable IEEE 802.1x for this network" checkbox is not checked.<br>
<br><br>More technical details regarding Windows 802.1x authentication for your information.<br>In windows XP SP3 and Windows Vista, there is a service which is set to Manual and Stopped by default<br>start->run->cmd<br>
services.msc<br>service: dot2svc<br>display name: wired autoconfig<br>description: This service performs IEEE 802.1X authentication on Ethernet interfaces<br>If you click right click the service and start the service, the Authentication tab will show up in your local area connection properties.<br>
<br><br>Schilling<br><br><br><br><br><div class="gmail_quote">On Wed, Nov 26, 2008 at 8:42 AM, <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">>Do they support Mac-Based Auth + 802.1X on the same port?<br>
<br>
</div>In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*<br>
802.1x (mac address is sent as user/pass - requires registry hacking on<br>
XP). And then you can re-authenticate with username/pass.<br>
<br>
There is also something called mac authentication bypass for 802.1x. If<br>
enabled switch will do mac auth if it doesn't get EAPOL packet from the<br>
supplicant. So, in a matter of speaking, you can have mac auth and<br>
(probably should say or - the idea is to be able to connect something<br>
that doesn't do 802.1x, like a network printer) 802.1x on the same port.<br>
<div class="Ih2E3d"><br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
-<br>
</div><div><div></div><div class="Wj3C7c">List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>