EAP used for plain MAC authentication?

jm+freeradiususer at roth.lu jm+freeradiususer at roth.lu
Sun Jan 4 00:16:32 CET 2015

Hi there,

I hope you don't mind if I ask something at first not directly related 
to freeradius.

In fact, we have some of those Cisco SG series small-business switches 
on which we wanted to implement plain MAC address-based authentication 
just like with other Cisco IOS gear (Mac Auth Bypass) and also gear from 
other vendors like Extreme.

Now, those Cisco SG devices are also capable of doing dynamic vlan
assignment BUT they don't accept any VLAN in return unless a full EAP
conversation has taken place, even when only in MAC-auth mode, not in
802.1x. The other gear has no problem accepting a 
Tunnel-Private-Group-ID attribute in plain mode.

Is that something you would say they (Cisco) have to liberty to 
implement as they wish and I don't understand things clearly, or is it 
that they didn't understand things clearly when implementing a MAC-based 
authentication using 802.1x nevertheless.

In fact the interesting part of their manual says this:

--start quote--
MAC-based authentication is an alternative to 802.1X authentication that
allows network access to devices (such as printers and IP phones) that 
do not have the 802.1X supplicant capability. MAC-based authentication 
uses the MAC address of the connecting device to grant or deny network 

In this case, the switch supports EAP MD5 functionality with the 
username and password equal to the client MAC address
--end quote--

It's mainly that last sentence that I'm wondering about.

In any case this is going to make my life more difficult, as I will have 
to treat those SG devices differently from all the other gear we have...

Thanks for your opinion.



More information about the Freeradius-Users mailing list