MAC based auth

Phil Mayers p.mayers at imperial.ac.uk
Wed Nov 26 16:58:48 CET 2008


Arran Cudbard-Bell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Phil Mayers wrote:
>> Arran Cudbard-Bell wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>>>> was aware HP ProCurve were the only ones that supported this properly
>>>>> No. Extreme X250/X450 and 3Com 4400.
>>> They don't publish their manuals online ?! All I can find is a 'getting
>>> started guide' for the 3Com and nothing for the Extreme switches.
>> http://www.extremenetworks.com/services/software-userguide.aspx
>>
>> You want the "XOS concepts guide", chapter 21 ("Network Login")
>>
>> The 4400 is end-of-sale, so I doubt you want to waste time researching
>> them, but we have them and they work.
> 
> Thanks for that. It's still worth looking at how other vendors do it.

 From your description of ProCurve, 3Com do it the same way - send 
EAP-Identity, if the 1st packet back is EAP, go into 802.1x mode, else 
do mac-auth.

The 3Com's also have other weird modes where they'll do a PAP request 
with the MAC before the 802.1x, and you can AND or OR the results; 
AFACIT this is for people with crappy radius servers (e.g. IAS) who 
can't easily match on arbitrary fields.



More information about the Freeradius-Users mailing list