Authenticate user by NAS-IP & NAS-Port-ID instead of User-Name & Password
Hello, I have a managed network switch that support MAC authentication and will send requests to Radius. The issue is I do not wish to keep a list of customer device MAC addresses for authentication. I would like to enforce activation by port. My first attempt was changing the username & password to something standardized like "<NAS-IP>-<NAS-Port-ID>" & "somesecurepassword" When I did this though I think EAP failed with the user-name did not match what was on the original request. What I am looking for is what the best way to approach this scenario is. The 2 options I can think of is try writing a custom sql module that way I do not need to play with the User-Name Password or proxy the request and then authenticate it that way the names don't get fudged on the original request. Any other easier ways? Am I on the right track? Also, anyone know of managed switches (Other than Cisco) that support setting the Ingress/Egress speeds of the port via Radius? -- -Louis NTInet O: 803-533-1660 X 207 C: 803-997-0004
Louis Arsenault wrote:
I have a managed network switch that support MAC authentication and will send requests to Radius. The issue is I do not wish to keep a list of customer device MAC addresses for authentication. I would like to enforce activation by port.
My first attempt was changing the username & password to something standardized like "<NAS-IP>-<NAS-Port-ID>" & "somesecurepassword"
Did that match the user name && password in the RADIUS packet? If not, it's not going to work.
When I did this though I think EAP failed with the user-name did not match what was on the original request.
Saying "I think..." is bad practice. Computers are exact. Find out EXACTLY what's going on. And go back to read what you wrote. MAC authentication and EAP? Those are different things. What is REALLY happening?
What I am looking for is what the best way to approach this scenario is. The 2 options I can think of is try writing a custom sql module that way I do not need to play with the User-Name Password or proxy the request and then authenticate it that way the names don't get fudged on the original request.
*IF* the packets contain EAP and you want to authenticate devices by NAS IP/port... it's impossible. Don't even bother trying. It won't work. If you're not doing EAP, that's another question. So... what's really going on? MAC auth? EAP? ....? Alan DeKok.
participants (2)
-
Alan DeKok -
Louis Arsenault