Switch 802.1x authentication and switch authentication

Matthew Ceroni matthewceroni at gmail.com
Tue Oct 15 20:52:02 CEST 2013


Hi:

I have a need to use a single FreeRadius server as both a radius
server for 802.1x authentication on a switch and also for switch
authentication.

Right now I have a solution for the case where one set of switches use
the Radius server for 802.1x and another set of switches just use the
radius server for authentication. For this I used huntgroups and added
the following section to my users file:

DEFAULT LDAP-GROUP == "IT.Americas_sec", Huntgroup-Name = switchAuth
     Service-Type = Administrative-User,
     cisco-avpair = "shell:priv-lvl=15",

That allows only people in the IT.Americas_sec to authenticate on the
switch (and sets their privilege level to 15).

The huntgroup specifies the IP addresses of the switches that use the
radius server for authentication.

But this solution won't work when a switch does both 802.1x and uses
the radius server for authentication.

What is the best way to accomplish this?

Thanks


More information about the Freeradius-Users mailing list