Again, On Mon, Jan 5, 2015 at 8:17 PM, Marki <jm+freeradiususer@roth.lu> wrote:
In fact the switches correctly react to an Access-Accept or Access-Reject, but don't set the VLAN correctly without EAP.
I consider this a bug as there should be a separation of concerns here. It is totally unnecessary and a layering violation to couple to EAP.
In fact I have a call open with Cisco about this, and it would now be great if I had some strong arguments why using EAP here is just sick, or why some things only work with EAP while the rest also works out-of-the-box.
I don't have a problem with EAP being used for MAC auth. A NAS could, for example, use a fixed, constant username and password to perform MAC address authentication, only passing the MAC address in the Calling-Station-Id, instructing that this value should be authenticated using the Service-Type of Call-Check. This is useful as it means you can use a single directory account for MAC auth without having to mess around. I do want to see Cisco implement and support a fixed, constant username and password authentication for MAB in a future IOS release. (As an option.) If a Service-Type is missing, this is a bug where other authentication types are supported as it becomes awkward, hackish and potentially unreliable to discriminate between the type of service being used by a client. It becomes a broken NAS at this point. Nick