Authenticating MACs and users
Alan DeKok
aland at deployingradius.com
Sat Nov 20 20:09:53 CET 2010
Rudolph Bott wrote:
> I have all the mac addresses (including the vlan attribute) in my users
> file. Can I just put in some user accounts as well and configure my
> switches to use the radius server for user authentication?
Yes.
> How do I separate the management-users from my 'fake' mac-address-users?
> I don't wont anyone to login to my switches with his mac address :/
Look at the packets for the two kinds of requests. They will *look*
different. Use those differences to create a policy that separates the two.
Very often, the MAC auth requests have User-Password or CHAP-Password
of the Mac address. Since the User-Name also looks like a MAC address,
that's a pretty good way to tell them apart.
> On top of that, I might also need a Radius server to authenticate
> wireless users against Active Directory but I'll probably use IAS here
> (unless its easy to add this feature to the existing freeradius setup as
> well).
It's trivial. Add a name/password to the "users" file. Start the
server in debugging mode. PEAP will work.
> Basically my question is: how can I separate user requests for different
> backends (mac-address-users-file, switch-users-file, active directory
> backend) on my radius server. Simply running 3 instances with different
> ports/configurations on the same server is probably not the way to go
> (is it?)
Nope.
> But that actually leads to my next question: is there a way to avoid
> having cleartext passwords for my switch-users in the users file?
Sure. Put them in a database.
Alan DeKok.
More information about the Freeradius-Users
mailing list