Authenticating MACs and users

Alan DeKok aland at
Sat Nov 20 20:09:53 CET 2010

Rudolph Bott wrote:
> I have all the mac addresses (including the vlan attribute) in my users
> file. Can I just put in some user accounts as well and configure my
> switches to use the radius server for user authentication?


> How do I separate the management-users from my 'fake' mac-address-users?
> I don't wont anyone to login to my switches with his mac address :/

  Look at the packets for the two kinds of requests.  They will *look*
different.  Use those differences to create a policy that separates the two.

  Very often, the MAC auth requests have User-Password or CHAP-Password
of the Mac address.  Since the User-Name also looks like a MAC address,
that's a pretty good way to tell them apart.

> On top of that, I might also need a Radius server to authenticate
> wireless users against Active Directory but I'll probably use IAS here
> (unless its easy to add this feature to the existing freeradius setup as
> well).

  It's trivial.  Add a name/password to the "users" file.  Start the
server in debugging mode.  PEAP will work.

> Basically my question is: how can I separate user requests for different
> backends (mac-address-users-file, switch-users-file, active directory
> backend) on my radius server. Simply running 3 instances with different
> ports/configurations on the same server is probably not the way to go
> (is it?)


> But that actually leads to my next question: is there a way to avoid
> having cleartext passwords for my switch-users in the users file?

  Sure.  Put them in a database.

  Alan DeKok.

More information about the Freeradius-Users mailing list