Hello, I am trying to find some info on authentication ordering. Is it the client(switch or wireless controller) that defines the authentication ordering or is it the radius server? If it is the radius server how would I define EAP as the first authentication method and then mac authentication as the second? Thanks, Dan.
Dan Letkeman wrote:
I am trying to find some info on authentication ordering.
Probably because no one uses that term.
Is it the client(switch or wireless controller) that defines the authentication ordering or is it the radius server?
You're asking the wrong question.
If it is the radius server how would I define EAP as the first authentication method and then mac authentication as the second?
MAC auth isn't authentication. MAC auth is just another authorization check. EAP is authentication. As part of authorizing a user, you can deny them access because their bills aren't paid, or because they're using the wrong MAC. Alan DeKok.
On Sun, Jun 8, 2014 at 5:39 PM, Alan DeKok <aland@deployingradius.com> wrote:
Dan Letkeman wrote:
I am trying to find some info on authentication ordering.
Probably because no one uses that term.
Ok, but I just did, so I guess I use that term :)
Is it the client(switch or wireless controller) that defines the authentication ordering or is it the radius server?
You're asking the wrong question.
Yes, I am asking the wrong question, because I need help, otherwise I would not be posting a question.....(:
If it is the radius server how would I define EAP as the first authentication method and then mac authentication as the second?
MAC auth isn't authentication. MAC auth is just another authorization check.
Ok, so I can authorize a user based on there mac address. I can also authenticate a user using EAP. I want to authenticate a user using EAP, but if the device that a user is using does not support EAP I would like to authorize a user based on the mac address as a last resort.
EAP is authentication. As part of authorizing a user, you can deny them access because their bills aren't paid, or because they're using the wrong MAC.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dan Letkeman wrote:
Yes, I am asking the wrong question, because I need help, otherwise I would not be posting a question.....(:
I suggest asking the *real* question, using common words. Not one using invented terminology. You're more likely to get a useful answer.
Ok, so I can authorize a user based on there mac address. I can also authenticate a user using EAP. I want to authenticate a user using EAP, but if the device that a user is using does not support EAP I would like to authorize a user based on the mac address as a last resort.
For WiFi, it's impossible. It's designed to be impossible. For wired 802.1X, it can be possible. But it doesn't always work. It's not recommended, and it's not trivial. The usual way to do this is to configure the switch to put users into a special VLAN when authentication fails. Alan DeKok.
participants (2)
-
Alan DeKok -
Dan Letkeman