EAP used for plain MAC authentication?
jm+freeradiususer at roth.lu
jm+freeradiususer at roth.lu
Sun Jan 4 00:16:32 CET 2015
Hi there,
I hope you don't mind if I ask something at first not directly related
to freeradius.
In fact, we have some of those Cisco SG series small-business switches
on which we wanted to implement plain MAC address-based authentication
just like with other Cisco IOS gear (Mac Auth Bypass) and also gear from
other vendors like Extreme.
Now, those Cisco SG devices are also capable of doing dynamic vlan
assignment BUT they don't accept any VLAN in return unless a full EAP
conversation has taken place, even when only in MAC-auth mode, not in
802.1x. The other gear has no problem accepting a
Tunnel-Private-Group-ID attribute in plain mode.
Is that something you would say they (Cisco) have to liberty to
implement as they wish and I don't understand things clearly, or is it
that they didn't understand things clearly when implementing a MAC-based
authentication using 802.1x nevertheless.
In fact the interesting part of their manual says this:
--start quote--
MAC-based authentication is an alternative to 802.1X authentication that
allows network access to devices (such as printers and IP phones) that
do not have the 802.1X supplicant capability. MAC-based authentication
uses the MAC address of the connecting device to grant or deny network
access.
In this case, the switch supports EAP MD5 functionality with the
username and password equal to the client MAC address
--end quote--
It's mainly that last sentence that I'm wondering about.
In any case this is going to make my life more difficult, as I will have
to treat those SG devices differently from all the other gear we have...
Thanks for your opinion.
Bye,
Marki
More information about the Freeradius-Users
mailing list