Louis Arsenault wrote:
I have a managed network switch that support MAC authentication and will send requests to Radius. The issue is I do not wish to keep a list of customer device MAC addresses for authentication. I would like to enforce activation by port.
My first attempt was changing the username & password to something standardized like "<NAS-IP>-<NAS-Port-ID>" & "somesecurepassword"
Did that match the user name && password in the RADIUS packet? If not, it's not going to work.
When I did this though I think EAP failed with the user-name did not match what was on the original request.
Saying "I think..." is bad practice. Computers are exact. Find out EXACTLY what's going on. And go back to read what you wrote. MAC authentication and EAP? Those are different things. What is REALLY happening?
What I am looking for is what the best way to approach this scenario is. The 2 options I can think of is try writing a custom sql module that way I do not need to play with the User-Name Password or proxy the request and then authenticate it that way the names don't get fudged on the original request.
*IF* the packets contain EAP and you want to authenticate devices by NAS IP/port... it's impossible. Don't even bother trying. It won't work. If you're not doing EAP, that's another question. So... what's really going on? MAC auth? EAP? ....? Alan DeKok.