<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
color:black;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>MAC-Auth has its place, but I agree with
some others this isn’t the best fit. MAC spoofing = easy. User gets new NIC
or computer = often.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>“You” don’t need to do anything on the
client. How about you set a default VLAN with restrictions, a captive portal
of sorts. They don’t <b><span style='font-weight:bold'>need </span></b>to “login”,
but every DNS request lands them on a page that says: You’re not authenticated;
you need to follow the directions in this link. Have a how-to with pretty
pictures and stuff, I’m sure there are many already on the web. ACL on the
default “GUEST” VLAN restricts their IP access as you see fit.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>Bottom line, users can enable / configure
802.1x supplicant themselves with a little guidance. In the long run you’ll be
WAY better off with 802.1x. IMHO.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'>G<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=black face="Times New Roman"><span
style='font-size:12.0pt;color:black'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell.com@lists.freeradius.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Paulo Maia<br>
<b><span style='font-weight:bold'>Sent:</span></b> Thursday, July 07, 2011 4:10
PM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">FreeRadius
users mailing list</st1:PersonName><br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: Mac-Auth</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>I dont want to enable
802.1x auth in the clients coz i have over 3000 computers and i dont have AD to
set a gpo to set in all clients .... But i do have all
mac-addresses . I dont know if im going the wrong way here . <br>
<br>
Thanks ,<o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Thu, Jul 7, 2011 at 5:59 PM, Paulo Maia <<a
href="mailto:phc.maia@gmail.com">phc.maia@gmail.com</a>> wrote:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Ok guys thanks .<br>
One other question tough .... i have configured radius settings in the
switch (c2960g) with aaa-newmodel dot1x port-control auto and the requests are
getting to the radius server OK . But it keeps asking for user/pass auth and .
Is there a way to authenticate the mac-address without enable 802.1x in the
client computer ? <o:p></o:p></span></font></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Thu, Jul 7, 2011 at 4:19 PM, Alan Buxey <<a
href="mailto:A.L.M.Buxey@lboro.ac.uk" target="_blank">A.L.M.Buxey@lboro.ac.uk</a>>
wrote:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Hi,<o:p></o:p></span></font></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>> Hi Guys
,<br>
> Here is the thing , im trying to use Mac-Auth , I managed to
get working<br>
> using authorized-macs files , although i need to use a mysql
table� witch<br>
> i already have with the ssid and mac-address fields and i
need to add an<br>
> operator to expired macs , coz i work at a college campus and
students<br>
> mac-addresses need to expire acording to their course period
. Any ideas ?<br>
> Thanks in advance .<o:p></o:p></span></font></p>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>put MAC address in the radcheck table and set an Expiration. should
work a treat<br>
<br>
00-11-22-33-44-55 Expiration := "10 Jul 2011"<br>
<font color="#888888"><span style='color:#888888'><br>
<br>
alan</span></font><o:p></o:p></span></font></p>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>-<br>
List info/subscribe/unsubscribe? See <a
href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><o:p></o:p></span></font></p>
</div>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended recipient, you are hereby notified that
any review, use, dissemination, disclosure or copying of this email
and its attachments, if any, is strictly prohibited. If you have
received this email in error, please immediately notify the sender by
return email and delete this email from your system."
</font>
</body>
</html>