Config for 802.1x use on network switches
Michael Schwartzkopff
ms at sys4.de
Tue May 7 13:37:45 CEST 2013
Am Dienstag, 7. Mai 2013, 14:27:35 schrieb Nikolaos Milas:
> Hello,
>
> We would like to enforce authentication for all clients connecting to
> our network (wired or wireless), so that when a client connects, the
> client will not be able to use the network unless it successfully
> authenticates (e.g. via web) with a valid account (LDAP-based).
>
> We have a network based mainly on Cisco 2950/2960 switches.
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea11x/configuration/guide/sw8021x.html
or search for your switch and IOS version.
> We are running a central LDAP Server (openldap) where we hold user
> accounts, which are used for mail, ftp, web, Shibboleth access.
>
> I guess we can enable 802.1x on switches and require authentication of
> clients over freeradius.
>
> Is there a suggested sample freeradius configuration for such use? Can
> you please provide one or point me to a URL for it?
Read the rlm_ldap file in the doc directory.
Quite old, but still work:
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
> Can you share your experience and any pitfalls we should consider?
Pitfalls:
- Devices that do not speak 802.1x, i.e. printers.
- Devices with more that one MAC address, i.e. laptops with virtual machines.
- Devices of users that are not in your LDAP, i.e. consultants, guests.
- Devices behind IP phones (two MAC addresses!).
Perhaps you need to mess around with guest, resticted, and voice VLAN.
> Any experiences on such use? Does this scale well (for about 20-30
> switches)? Should we consider a central management solution? (Which?)
LDAP scales well. FreeRADIUS will not have any performace problem.
Perhaps you get a lot of work taking care of all the MAC addresses of your
non-802.1x devices. A customer of mine has a data base with 120.000 MAC
addresses ...
--
Mit freundlichen Grüßen,
Michael Schwartzkopff
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Axel von der Ohe, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130507/0cdc52d7/attachment.html>
More information about the Freeradius-Users
mailing list