MAC Auth first, then User?

Alexander Clouter alex at digriz.org.uk
Thu Sep 23 16:55:43 CEST 2010


Rob Yamry <ryamry at kimberly.k12.wi.us> wrote:
>
> We are experiencing an issue where certain policies need to push down to
> laptops before the user enters their credentials to authenticate to the
> wireless network.  We only have Radius/802.1x enabled on the wireless right
> now.  Is it possible to authenticate the device based on MAC address so the
> initial connection is there (so the laptop is "online") and then have the
> user authenticate via the Novell Client (with 802.1x) to login to the
> desktop?
> 
No, not unless your wireless controller supports it.

On the wired side, you can usually get something better:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287.pdf

To be frank, in your situation I would *not* recommend it.  Workstation 
and User authentication are two separate things; although you might use 
the user credentials to 'bootstrap' (to vouch for the MAC address in use 
for that session) the host authentication.

This has nothing to do with FreeRADIUS also...

Cheers

-- 
Alexander Clouter
.sigmonster says: Chicken Little was right.




More information about the Freeradius-Users mailing list