Switch 802.1x authentication and switch authentication
Alan DeKok
aland at deployingradius.com
Tue Oct 15 22:22:04 CEST 2013
Matthew Ceroni wrote:
> Right now I have a solution for the case where one set of switches use
> the Radius server for 802.1x and another set of switches just use the
> radius server for authentication. For this I used huntgroups and added
> the following section to my users file:
>
> DEFAULT LDAP-GROUP == "IT.Americas_sec", Huntgroup-Name = switchAuth
> Service-Type = Administrative-User,
> cisco-avpair = "shell:priv-lvl=15",
Which gives people admin access if (1) they're in the LDAP-Group, and
(b) if they're in the Hutgroup.
Note that it doesn't check if they *asked* for admin access!
> That allows only people in the IT.Americas_sec to authenticate on the
> switch (and sets their privilege level to 15).
>
> The huntgroup specifies the IP addresses of the switches that use the
> radius server for authentication.
Yes.
> But this solution won't work when a switch does both 802.1x and uses
> the radius server for authentication.
>
> What is the best way to accomplish this?
Add an additional check. Add a check for the Service-Type in the
first line, too.
DEFAULT Service-Type == Administrastive-User, LDAP-GROUP ==
"IT.Americas_sec", Huntgroup-Name = switchAuth
Service-Type = Administrative-User,
cisco-avpair = "shell:priv-lvl=15"
Alan DeKok.
More information about the Freeradius-Users
mailing list