Authenticating MACs and users

Rudolph Bott r at bott.im
Sat Nov 20 11:38:25 CET 2010


Hey Alan,

On 20.11.2010 11:26, Rudolph Bott wrote:
> Hi Alan,
>
> ok I'll try to be more specific:
>
> I have all the mac addresses (including the vlan attribute) in my users
> file. Can I just put in some user accounts as well and configure my
> switches to use the radius server for user authentication?
>
> How do I separate the management-users from my 'fake' mac-address-users?
> I don't wont anyone to login to my switches with his mac address :/

OK forget about that part - I totally forgot about the 'Service-Type' 
attribute, sorry!

But that actually leads to my next question: is there a way to avoid 
having cleartext passwords for my switch-users in the users file?

However, there's still need for clarification on the following:

>
> On top of that, I might also need a Radius server to authenticate
> wireless users against Active Directory but I'll probably use IAS here
> (unless its easy to add this feature to the existing freeradius setup as
> well).
>
> Basically my question is: how can I separate user requests for different
> backends (mac-address-users-file, switch-users-file, active directory
> backend) on my radius server. Simply running 3 instances with different
> ports/configurations on the same server is probably not the way to go
> (is it?)
>
>
> On 19.11.2010 20:42, Alan DeKok wrote:
>> Rudolph Bott wrote:
>>> Ah yes, thanks - any hints on how to achieve this? Maybe I'm just using
>>> the wrong keywords for searching.
>>
>> (a) configure user authentication
>> (b) configure MAC authentication
>>
>> There is no real difference between the two, other than the format of
>> the User-Name attribute.
>>
>> If your question was more specific, my answers could be more detailed.
>>
>> Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>


-- 
Mit freundlichen Grüßen / With Kind Regards
   Rudolph Bott



More information about the Freeradius-Users mailing list