MAC based auth

schilling schilling2006 at gmail.com
Wed Nov 26 16:33:22 CET 2008


We did mac-based authentication on our campus resnet with about 5000 unique
MAC addresses. We have dominantly foundry, and some cisco 3550s. Foundry
switches work very good. Their dot1x feature sets are very good, they called
multi-device port authentication.


Cisco 3550 is ok, at lease we get the MAB working as we architected.  You
have to disable 802.1x in order to do MAB. There are some catches though.

Sample cisco switch configuration

aaa new-model

aaa authentication dot1x default group radius
aaa authorization network default group radius local
dot1x system-auth-control

interface FastEthernet0/3
 description MAC-AuthC
 switchport access vlan 552
 switchport mode access
 dot1x mac-auth-bypass
 dot1x critical
 dot1x pae authenticator
 dot1x port-control auto
 dot1x host-mode multi-host
 dot1x timeout tx-period 1
 dot1x max-reauth-req 1
 spanning-tree portfast
 spanning-tree bpduguard enable


radius vlan instruction policy settings
                $RAD_REPLY{'Service-Type'} = "Framed-User";
                $RAD_REPLY{'Tunnel-Type'} = "VLAN";
                $RAD_REPLY{'Tunnel-Medium-Type'} = "IEEE-802";
                $RAD_REPLY{'Tunnel-Private-Group-Id'} = "YourVLANName";





There is one special troubleshooting guide for MAC address authentication,
please make sure student computer does not have 802.1x authentication
enabled on Ethernet network connection when student call and say the network
report no or limited network connection. We found out that Windows XP and
Windows Vista 802.1x authentication is not enabled by default, but we just
want to double check to make sure the 802.1x authentication is disabled on
Ethernet connection.

How to check the 802.1x authentication is off?
In windows XP, Start, Settings, Network Connections, right click Local Area
Connection, select Properties, If you does not see an Authentication tab,
802.1x is not available thus not enabled. If the Authentication tab is
available, please make sure  "Enable IEEE 802.1x for this network" checkbox
is not checked.


More technical details regarding Windows 802.1x authentication for your
information.
In windows XP SP3 and Windows Vista, there is a service which is set to
Manual and Stopped by default
start->run->cmd
services.msc
service: dot2svc
display name: wired autoconfig
description: This service performs IEEE 802.1X authentication on Ethernet
interfaces
If you click right click the service and start the service, the
Authentication tab will show up in your local area connection properties.


Schilling




On Wed, Nov 26, 2008 at 8:42 AM, <tnt at kalik.net> wrote:

> >Do they support Mac-Based Auth + 802.1X on the same port?
>
> In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*
> 802.1x (mac address is sent as user/pass - requires registry hacking on
> XP). And then you can re-authenticate with username/pass.
>
> There is also something called mac authentication bypass for 802.1x. If
> enabled switch will do mac auth if it doesn't get EAPOL packet from the
> supplicant. So, in a matter of speaking, you can have mac auth and
> (probably should say or - the idea is to be able to connect something
> that doesn't do 802.1x, like a network printer) 802.1x on the same port.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081126/2919641d/attachment.html>


More information about the Freeradius-Users mailing list