Rudolph Bott wrote:
I have all the mac addresses (including the vlan attribute) in my users file. Can I just put in some user accounts as well and configure my switches to use the radius server for user authentication?
Yes.
How do I separate the management-users from my 'fake' mac-address-users? I don't wont anyone to login to my switches with his mac address :/
Look at the packets for the two kinds of requests. They will *look* different. Use those differences to create a policy that separates the two. Very often, the MAC auth requests have User-Password or CHAP-Password of the Mac address. Since the User-Name also looks like a MAC address, that's a pretty good way to tell them apart.
On top of that, I might also need a Radius server to authenticate wireless users against Active Directory but I'll probably use IAS here (unless its easy to add this feature to the existing freeradius setup as well).
It's trivial. Add a name/password to the "users" file. Start the server in debugging mode. PEAP will work.
Basically my question is: how can I separate user requests for different backends (mac-address-users-file, switch-users-file, active directory backend) on my radius server. Simply running 3 instances with different ports/configurations on the same server is probably not the way to go (is it?)
Nope.
But that actually leads to my next question: is there a way to avoid having cleartext passwords for my switch-users in the users file?
Sure. Put them in a database. Alan DeKok.