Hi, read manuals but i don't know how can i use mac based authentication. I used eap-tls and username/pass. It worked good. but when I not log on to the Windows server, I want to authenticate the computer, cos my server services have to reachable. pc try authenticate using name like host/PCNAME but i don't know what is a password... I think if i use mac address based auth., i don't need username/pass, simply enough a mac address. or is it a wrong idea? how can i set it to use just mac addresses to authentication?I want authenticate the hardware not the user(cos the user is not logged on). configuration: newest freeRadius, cisco switch, win xp thanks GH
Hegedus Gabor wrote:
read manuals but i don't know how can i use mac based authentication.
MAC based authentication is just configuring the server to accept the user if the MAC is known.
I used eap-tls and username/pass. It worked good. but when I not log on to the Windows server, I want to authenticate the computer, cos my server services have to reachable.
pc try authenticate using name like host/PCNAME but i don't know what is a password...
It's in the Active Directory database. Configure the server to do MS-CHAP, and it should work for machine authentication.
I think if i use mac address based auth., i don't need username/pass, simply enough a mac address.
or is it a wrong idea?
It might not work.
how can i set it to use just mac addresses to authentication?I want authenticate the hardware not the user(cos the user is not logged on).
Just return an Access-Accept if the MAC is OK... but that means the users won't be authenticated, either. Alan DeKok.
Alan DeKok wrote:
Hegedus Gabor wrote:
read manuals but i don't know how can i use mac based authentication.
MAC based authentication is just configuring the server to accept the user if the MAC is known.
I used eap-tls and username/pass. It worked good. but when I not log on to the Windows server, I want to authenticate the computer, cos my server services have to reachable.
pc try authenticate using name like host/PCNAME but i don't know what is a password...
It's in the Active Directory database. Configure the server to do MS-CHAP, and it should work for machine authentication.
I don't use AD the pc is not in domain (jet). my freeradius do ms-chap.
I think if i use mac address based auth., i don't need username/pass, simply enough a mac address.
or is it a wrong idea?
It might not work.
how can i set it to use just mac addresses to authentication?I want authenticate the hardware not the user(cos the user is not logged on).
Just return an Access-Accept if the MAC is OK... but that means the users won't be authenticated, either.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is my problem, what can you suggest to me : I want use 802.1x port auth, although the machines are servers, and users logging in rarely. the machines will automaticly do the authentication(this is the goal), but how can i set the pass, cos i set the name of the pc and it will be sent, but the pass... This u/p seem better security than use just mac address. Gabor
This is my problem, what can you suggest to me : I want use 802.1x port auth, although the machines are servers, and users logging in rarely. the machines will automaticly do the authentication(this is the goal),
What is the Authenticator (NAS)? You should find in it's documentation how to set mac authentication before 802.1x.
but how can i set the pass, cos i set the name of the pc and it will be sent, but the pass... This u/p seem better security than use just mac address.
For that you need AD. It can be set manually using netdom resetpwd but only for machines in the domain. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
This is my problem, what can you suggest to me : I want use 802.1x port auth, although the machines are servers, and users logging in rarely. the machines will automaticly do the authentication(this is the goal),
What is the Authenticator (NAS)? You should find in it's documentation how to set mac authentication before 802.1x.
I have a cisco switch, and i still don't know support or not mac based auth. but i think not support with freeradius, i have to use something else. I'll write it to here.
but how can i set the pass, cos i set the name of the pc and it will be sent, but the pass... This u/p seem better security than use just mac address.
For that you need AD. It can be set manually using netdom resetpwd but only for machines in the domain.
I will try this way,it seems good escurity if i have password.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, now imho cisco switches don't support mac based authentication with freeRadius. Have any solutions for my problem?: i have server machines, if the power fails and returns, this server boot up, and the server services continues(nobody log in). I want 802.1x security on the network. I have a freeradius, and a cisco switch. My ideas: - freeradius get request (Host/pass + mac address) form server through switch. The fRadius use JUST mac address for authenticate this machine(username not = MAC). another idea: - when server boot up send host/pass + mac, and in the freeRadius chech hostname and pass and accept the request if equals. It is seems good but i don't know the password. what password does the server send? nothing? If i can set this password (once at all) it will be a good security. I have no more ideas...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tnt@kalik.net wrote:
now imho cisco switches don't support mac based authentication with freeRadius.
They most certainly do. And when you study for your CCNA you will learn how.
Do they support Mac-Based Auth + 802.1X on the same port? As far as I was aware HP ProCurve were the only ones that supported this properly (and that's only been after a lot of tedious bug reports and shouting). Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktQ4kACgkQcaklux5oVKI1zwCaAiYzahOHsPrxNIlbcVpZf+F6 0V0AoIee/fv7FGlb9pJ7wtL5EcNM9bx7 =w4Tj -----END PGP SIGNATURE-----
Arran Cudbard-Bell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
tnt@kalik.net wrote:
now imho cisco switches don't support mac based authentication with freeRadius.
They most certainly do. And when you study for your CCNA you will learn how.
Do they support Mac-Based Auth + 802.1X on the same port? As far as I
Yes
was aware HP ProCurve were the only ones that supported this properly
No. Extreme X250/X450 and 3Com 4400.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Phil Mayers wrote:
Arran Cudbard-Bell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
tnt@kalik.net wrote:
now imho cisco switches don't support mac based authentication with freeRadius.
They most certainly do. And when you study for your CCNA you will learn how.
Do they support Mac-Based Auth + 802.1X on the same port? As far as I
Yes
As in the port can dynamically transition between the two? I thought there was a caveat that Mac-Based auth would only work if the supplicant didn't respond to the Identity-Request or send an EAP-Start packet? and that if EAP based authentication failed the port would remain blocked?
was aware HP ProCurve were the only ones that supported this properly
No. Extreme X250/X450 and 3Com 4400.
Ok i'll check them out. Thanks, Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktSMYACgkQcaklux5oVKJIuQCeLhwXhCGyy/ZVLqD1HBUyTrbs gTIAnjxKCRQocIRmZhatPuFC5dGBFnRl =kDKy -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
was aware HP ProCurve were the only ones that supported this properly No. Extreme X250/X450 and 3Com 4400.
They don't publish their manuals online ?! All I can find is a 'getting started guide' for the 3Com and nothing for the Extreme switches. Does anyone have an advanced security guide or equivalent for either of these switches they could mail me ? - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktS3YACgkQcaklux5oVKIa+wCeOk0bh7xxN5UyxYz6a26U450o WDsAnRj55f4RZyz2xllmXLX7QrR4lZ+I =nmjy -----END PGP SIGNATURE-----
Arran Cudbard-Bell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
was aware HP ProCurve were the only ones that supported this properly No. Extreme X250/X450 and 3Com 4400.
They don't publish their manuals online ?! All I can find is a 'getting started guide' for the 3Com and nothing for the Extreme switches.
http://www.extremenetworks.com/services/software-userguide.aspx You want the "XOS concepts guide", chapter 21 ("Network Login") The 4400 is end-of-sale, so I doubt you want to waste time researching them, but we have them and they work.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Phil Mayers wrote:
Arran Cudbard-Bell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
was aware HP ProCurve were the only ones that supported this properly No. Extreme X250/X450 and 3Com 4400.
They don't publish their manuals online ?! All I can find is a 'getting started guide' for the 3Com and nothing for the Extreme switches.
http://www.extremenetworks.com/services/software-userguide.aspx
You want the "XOS concepts guide", chapter 21 ("Network Login")
The 4400 is end-of-sale, so I doubt you want to waste time researching them, but we have them and they work.
Thanks for that. It's still worth looking at how other vendors do it. - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkta9kACgkQcaklux5oVKLh8ACeJ+Yunk0jeY9F/LIEWjfCdQGL h40AnjE5mF42uLHByQUsvSZwIDX231Q6 =Vxbt -----END PGP SIGNATURE-----
Arran Cudbard-Bell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Phil Mayers wrote:
Arran Cudbard-Bell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
was aware HP ProCurve were the only ones that supported this properly No. Extreme X250/X450 and 3Com 4400. They don't publish their manuals online ?! All I can find is a 'getting started guide' for the 3Com and nothing for the Extreme switches. http://www.extremenetworks.com/services/software-userguide.aspx
You want the "XOS concepts guide", chapter 21 ("Network Login")
The 4400 is end-of-sale, so I doubt you want to waste time researching them, but we have them and they work.
Thanks for that. It's still worth looking at how other vendors do it.
From your description of ProCurve, 3Com do it the same way - send EAP-Identity, if the 1st packet back is EAP, go into 802.1x mode, else do mac-auth. The 3Com's also have other weird modes where they'll do a PAP request with the MAC before the 802.1x, and you can AND or OR the results; AFACIT this is for people with crappy radius servers (e.g. IAS) who can't easily match on arbitrary fields.
On Wed, Nov 26, 2008 at 7:44 AM, Phil Mayers <p.mayers@imperial.ac.uk>wrote:
Arran Cudbard-Bell wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
tnt@kalik.net wrote:
now imho cisco switches don't support mac based authentication with
freeRadius.
They most certainly do. And when you study for your CCNA you will learn how.
Do they support Mac-Based Auth + 802.1X on the same port? As far as I
Yes
was aware HP ProCurve were the only ones that supported this properly
No. Extreme X250/X450 and 3Com 4400.
-
Foundry BigIron & GS series, too, at least. It's what we use everywhere.
Do they support Mac-Based Auth + 802.1X on the same port?
In a (very) weird way. It's not mac auth + 802.1x but mac auth *in* 802.1x (mac address is sent as user/pass - requires registry hacking on XP). And then you can re-authenticate with username/pass. There is also something called mac authentication bypass for 802.1x. If enabled switch will do mac auth if it doesn't get EAPOL packet from the supplicant. So, in a matter of speaking, you can have mac auth and (probably should say or - the idea is to be able to connect something that doesn't do 802.1x, like a network printer) 802.1x on the same port. Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Do they support Mac-Based Auth + 802.1X on the same port?
In a (very) weird way. It's not mac auth + 802.1x but mac auth *in* 802.1x (mac address is sent as user/pass - requires registry hacking on XP). And then you can re-authenticate with username/pass.
There is also something called mac authentication bypass for 802.1x. If enabled switch will do mac auth if it doesn't get EAPOL packet from the supplicant. So, in a matter of speaking, you can have mac auth and (probably should say or - the idea is to be able to connect something that doesn't do 802.1x, like a network printer) 802.1x on the same port.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thanks everybody, yes, I find the mac auth bypass but it works just on some cisco devices, I will try this win hack cos it might be usable. and tell if i have solutions. Gabor
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 tnt@kalik.net wrote:
Do they support Mac-Based Auth + 802.1X on the same port?
In a (very) weird way. It's not mac auth + 802.1x but mac auth *in* 802.1x (mac address is sent as user/pass - requires registry hacking on XP). And then you can re-authenticate with username/pass.
There is also something called mac authentication bypass for 802.1x. If enabled switch will do mac auth if it doesn't get EAPOL packet from the supplicant. So, in a matter of speaking, you can have mac auth and (probably should say or - the idea is to be able to connect something that doesn't do 802.1x, like a network printer) 802.1x on the same port.
Yes that's how I thought it worked. I guess that's ok in some situations but it's really inflexible in others. HP ProCurve switches allow you to enable both methods of authentication together on the same port. It's a little weird how it operates, but it seems to work very well in most situations. When a device connects to the port the switch starts sending EAP Identity Request packets. If the device responds with an EAP Identity Response and successfully completes 802.1X based authentication, the port goes into an open state with the PVID set to the VLAN assigned in the Access-Accept packet. If the device does not respond to the Identity request (or fails 802.1X authentication) and starts sending non eapol frames to the port, the switch writes the src mac of the device into the User-Name field and sends a Access-Request packet to the RADIUS server. If the RADIUS server responds to the Access-Request with an Access-Accept packet and a VLAN assignment, the PVID is changed to that VLAN. If the server responds with an Access-Reject, the port either remains closed, or if you have an Unauth-Vid configured for Mac-Based auth the PVID is changed to that. If the port is in the unauth state or is authenticated via Mac-Based authentication, the switch will continue to send EAP Identity Requests. If at any point the device initiates 802.1X authentication and succeeds in authenticating, the PVID of the port will change to the one assigned in 802.1X authentication. If the device then sends an EAPOL-Logoff packet the switch will then attempt to re-authenticate the device using Mac-Based authentication. Arran - -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktXH0ACgkQcaklux5oVKJQpQCfQi6mORqjWYIJm1vP2To8AnNJ CpAAnj9TejutfbwcxBnmETyyd2xwjIPz =qzzN -----END PGP SIGNATURE-----
Yes that's how I thought it worked. I guess that's ok in some situations but it's really inflexible in others.
HP ProCurve switches allow you to enable both methods of authentication together on the same port. It's a little weird how it operates, but it seems to work very well in most situations.
When a device connects to the port the switch starts sending EAP Identity Request packets. If the device responds with an EAP Identity Response and successfully completes 802.1X based authentication, the port goes into an open state with the PVID set to the VLAN assigned in the Access-Accept packet.
If the device does not respond to the Identity request (or fails 802.1X authentication) and starts sending non eapol frames to the port, the switch writes the src mac of the device into the User-Name field and sends a Access-Request packet to the RADIUS server. If the RADIUS server responds to the Access-Request with an Access-Accept packet and a VLAN assignment, the PVID is changed to that VLAN. If the server responds with an Access-Reject, the port either remains closed, or if you have an Unauth-Vid configured for Mac-Based auth the PVID is changed to that.
If the port is in the unauth state or is authenticated via Mac-Based authentication, the switch will continue to send EAP Identity Requests. If at any point the device initiates 802.1X authentication and succeeds in authenticating, the PVID of the port will change to the one assigned in 802.1X authentication.
If the device then sends an EAPOL-Logoff packet the switch will then attempt to re-authenticate the device using Mac-Based authentication.
I found the flowchart for Cisco: http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/1... Main difference is that it will not attempt mac auth if 802.1x fails. Ivan Kalik Kalik Informatika ISP
We did mac-based authentication on our campus resnet with about 5000 unique MAC addresses. We have dominantly foundry, and some cisco 3550s. Foundry switches work very good. Their dot1x feature sets are very good, they called multi-device port authentication. Cisco 3550 is ok, at lease we get the MAB working as we architected. You have to disable 802.1x in order to do MAB. There are some catches though. Sample cisco switch configuration aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius local dot1x system-auth-control interface FastEthernet0/3 description MAC-AuthC switchport access vlan 552 switchport mode access dot1x mac-auth-bypass dot1x critical dot1x pae authenticator dot1x port-control auto dot1x host-mode multi-host dot1x timeout tx-period 1 dot1x max-reauth-req 1 spanning-tree portfast spanning-tree bpduguard enable radius vlan instruction policy settings $RAD_REPLY{'Service-Type'} = "Framed-User"; $RAD_REPLY{'Tunnel-Type'} = "VLAN"; $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802"; $RAD_REPLY{'Tunnel-Private-Group-Id'} = "YourVLANName"; There is one special troubleshooting guide for MAC address authentication, please make sure student computer does not have 802.1x authentication enabled on Ethernet network connection when student call and say the network report no or limited network connection. We found out that Windows XP and Windows Vista 802.1x authentication is not enabled by default, but we just want to double check to make sure the 802.1x authentication is disabled on Ethernet connection. How to check the 802.1x authentication is off? In windows XP, Start, Settings, Network Connections, right click Local Area Connection, select Properties, If you does not see an Authentication tab, 802.1x is not available thus not enabled. If the Authentication tab is available, please make sure "Enable IEEE 802.1x for this network" checkbox is not checked. More technical details regarding Windows 802.1x authentication for your information. In windows XP SP3 and Windows Vista, there is a service which is set to Manual and Stopped by default start->run->cmd services.msc service: dot2svc display name: wired autoconfig description: This service performs IEEE 802.1X authentication on Ethernet interfaces If you click right click the service and start the service, the Authentication tab will show up in your local area connection properties. Schilling On Wed, Nov 26, 2008 at 8:42 AM, <tnt@kalik.net> wrote:
Do they support Mac-Based Auth + 802.1X on the same port?
In a (very) weird way. It's not mac auth + 802.1x but mac auth *in* 802.1x (mac address is sent as user/pass - requires registry hacking on XP). And then you can re-authenticate with username/pass.
There is also something called mac authentication bypass for 802.1x. If enabled switch will do mac auth if it doesn't get EAPOL packet from the supplicant. So, in a matter of speaking, you can have mac auth and (probably should say or - the idea is to be able to connect something that doesn't do 802.1x, like a network printer) 802.1x on the same port.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (8)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Arran Cudbard-Bell -
Hegedus Gabor -
Phil Mayers -
schilling -
Stephen Bowman -
tnt@kalik.net