How possible is this???
Alan DeKok
aland at deployingradius.com
Thu Nov 20 16:38:44 CET 2008
Martin MacLeod-Brown wrote:
> My current thinking for our wired network is to add the MAC-addresses of
> all our desktop machines (2500 PC/laptops) into LDAP with the
> MAC-address being both the user name and password.
> We would then try FreeRadius and MAC-Authentication - how feasible is
> this and are there any gotcha's?
It's simple. I would suggest the following. Turn on MAC
authentication on the swithes, BUT configure FreeRADIUS to allow any
MAC. Then, also make it log the MACs.
After a week or so, add all of the MACs to the LDAP database, and
enable real MAC authentication.
> Import the Mac addresses into LDAP
> List the IP of all our edge switches in clients.conf
> Configure the shared secret
> Configure radiusd.conf to talk to the LDAP server - partially done
> Set up switches to query the radius server
>
> Are there any good how-to's on radius and mac-auth?
Nope. Just configure the username && password as the MAC address (if
that's what you see in the packet).
> We are looking to keep things as simple as possible so we can get used
> to using radius, before thinking about deploying 802.1x and I am
> desperate to avoid having to use IAS
IAS has a lot fewer features than FreeRADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list