new to freeradius, securing LAN

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Fri May 29 17:44:54 CEST 2009


On 29/5/09 16:23, pkc_mls wrote:
> ldap.lippogeneral.com a écrit :
>>
>> But how, if they can manually configure an interface on their PC and
>> completely bypass our DHCP server..
>>
> this is typically why you'd like to set up authentication, so the
> physical access to your switch port is not sufficient to get access to
> your network.
>
> please check if your network devices can do 802.1x, then try the
> authentication you'd like.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

With switches that support MAC-Based authentication and/or 802.1X authentication, and a port which has MAC/802.1X authentication enabled; when the client physically connects, the port will transition 
to a 'closed' state.

Whilst the port is in a closed state, the switch will drop any packets received on that port, until the switch has authenticated the user against a RADIUS server. If the RADIUS server authorizes the 
client to connect, the port will 'open' and allow packets to be forwarded. If the RADIUS server does not authorize the user, then the port will remain closed and packets will continue to be dropped.

All port based authentication occurs before the client has acquired an IP address.

Arran
-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2



More information about the Freeradius-Users mailing list