Hello everybody, Since my searches didn't work, I would have liked to know if it was possible to couple @mac authentication with the 802.1x protocol to assign dynamic vlan with freeradius? if so, would you have any research leads for freeradius version 3.0? Thank you in advance,
Yaël Rozanes <irozanes387@hotmail.fr>:
Since my searches didn't work, I would have liked to know if it was possible to couple @mac authentication with the 802.1x protocol to assign dynamic vlan with freeradius?
Generally what is done is to use just 802.1x authentication alone, and create rules based on the Calling-Station-Id attribute which will contain some rendition of your MAC address. Some switches allow you to also run MAC authentication, but it is only there to support clients that cannot do 802.1x and works just the same as without 802.1x (after a delay waiting to see no EAPOL frames.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generally what is done is to use just 802.1x authentication alone, and create rules based on the Calling-Station-Id attribute which will contain some rendition of your MAC address.
I think I understand what you recommend, for now I authenticate my supplicant with an id/mdp couple ( that I get on a Ldap server) in EAP-TTLS but I would have liked to do the same with only the mac address using for example a MySQL database If I understand correctly, you advise me to use another field of my ldap which would contain my @mac and to link it to the attribute "Calling-Station-Id"? Thanks for your anwser and excuse me for grammar errors, I'm still learning :D ________________________________ De : Freeradius-Users <freeradius-users-bounces+irozanes387=hotmail.fr@lists.freeradius.org> de la part de Brian Julin <BJulin@clarku.edu> Envoyé : mardi 20 mars 2018 16:59 À : freeradius-users@lists.freeradius.org Objet : Re: Dynamic Vlan with 802.1x and mac adress Yaël Rozanes <irozanes387@hotmail.fr>:
Since my searches didn't work, I would have liked to know if it was possible to couple @mac authentication with the 802.1x protocol to assign dynamic vlan with freeradius?
Generally what is done is to use just 802.1x authentication alone, and create rules based on the Calling-Station-Id attribute which will contain some rendition of your MAC address. Some switches allow you to also run MAC authentication, but it is only there to support clients that cannot do 802.1x and works just the same as without 802.1x (after a delay waiting to see no EAPOL frames.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Support & Services<http://www.freeradius.org/list/users.html> www.freeradius.org The world's leading RADIUS server. The project includes a GPL AAA server, BSD licensed client and PAM and Apache modules. Full support is available from NetworkRADIUS. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yaël Rozanes <irozanes387@hotmail.fr>:
I think I understand what you recommend, for now I authenticate my supplicant with an id/mdp couple ( that I get on a Ldap server) in EAP-TTLS but I would have liked to do the same with only the mac address using for example a MySQL database
Ah, this is different than what I understood. If you are using EAP-TTLS to do this your supplicant will still have to do some sort of inner authentication. For example, you could use a hard-coded Clear-Text-Password on the FreeRADIUS side for all hosts and set your supplicants all to use that password, and then use the Calling-Station-Id for authentication and authorization decisions. This is fairly weak from a security standpoint, but doable. Normal practice is to use a real password and use the Calling-Station-Id only for authorization purposes.
If I understand correctly, you advise me to use another field of my ldap which would contain my @mac and to link it to the attribute "Calling-Station-Id"?
Should work, but you may have to write unlang statements to do what you want with the attribute. You would not necessarily want to map the LDAP attribute to Calling-Station-Id... that attribute should already be there in the request, provided by the NAS. Just grab the MAC from LDAP into any old attribute and compare them in unlang.
participants (2)
-
Brian Julin -
Yaël Rozanes