We are checking which swtiches should be compatible with our network deployment and RADIUS using 802.1x. Our understanding is that it should work like this: 1. Supplicant Client sends any authentication information using EAP-TTLS tunnel to RADIUS server, which will include certificate. So for example, it sends MAC ID and certificate to RADIUS server (through the 802.1x enabled authenticator switch). 2. The RADIUS server will then tell the switch which certificates are authenticated (and not the MAC ID or other information). Does this sound correct? Or, in order to pass MAC "and" certificate, it will not be compliant with 802.1x since 802.1x only uses x.509 certificate and therefore we would need a switch with 802.1x "bypass mode"?
zhang zhi-heng <zhzhang.sg@gmail.com> wrote:
Or, in order to pass MAC "and" certificate, it will not be compliant with 802.1x since 802.1x only uses x.509 certificate and therefore we would need a switch with 802.1x "bypass mode"?
MAC-authentication-bypass mode is used to help clients that cannot do 802.1x. You should not need it to do 802.1x with an 802.1x-capable client. With a client that does 802.1x, the RADIUS server will have the MAC address usually because the RADIUS NAS adds extra fields (Calling-Station-Id) and sends them along with the EAP request. The client does not send these, they are added by the NAS (switch). When a NAS authenticates a client on a wired port, either by MAB or 802.1x, it usually allows all traffic from the MAC address (Calling-Station-Id). (For IP first hop security use the normal ARP/DHCP/IP protections, or whatever extra features the switch supports for downloadable ACLs.) However, even though the MAC address is what is used to permit or deny access, it is kept track of using a Session-Id distinct from the MAC address, and the session usually only applies to a single port on the switch. Exactly how the NAS and the RADIUS backend handle a MAC showing up on multiple ports differs by vendor, as does the available features for multiple clients on the same port. These are what you need to pay attention to when evaluating switches. Nothing beats a test drive. Also be sure to test wake-on-lan and sleeping machines in your typical deployment environment if you have them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thanks -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+zhzhang.sg=gmail.com@lists.freeradius.org> On Behalf Of Brian Julin Sent: Tuesday, 7 August 2018 1:01 PM To: freeradius-users@lists.freeradius.org Subject: Re: 802.1x question zhang zhi-heng <zhzhang.sg@gmail.com> wrote:
Or, in order to pass MAC "and" certificate, it will not be compliant with 802.1x since 802.1x only uses x.509 certificate and therefore we would need a switch with 802.1x "bypass mode"?
MAC-authentication-bypass mode is used to help clients that cannot do 802.1x. You should not need it to do 802.1x with an 802.1x-capable client. With a client that does 802.1x, the RADIUS server will have the MAC address usually because the RADIUS NAS adds extra fields (Calling-Station-Id) and sends them along with the EAP request. The client does not send these, they are added by the NAS (switch). When a NAS authenticates a client on a wired port, either by MAB or 802.1x, it usually allows all traffic from the MAC address (Calling-Station-Id). (For IP first hop security use the normal ARP/DHCP/IP protections, or whatever extra features the switch supports for downloadable ACLs.) However, even though the MAC address is what is used to permit or deny access, it is kept track of using a Session-Id distinct from the MAC address, and the session usually only applies to a single port on the switch. Exactly how the NAS and the RADIUS backend handle a MAC showing up on multiple ports differs by vendor, as does the available features for multiple clients on the same port. These are what you need to pay attention to when evaluating switches. Nothing beats a test drive. Also be sure to test wake-on-lan and sleeping machines in your typical deployment environment if you have them. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Brian Julin -
zhang zhi-heng