EAP used for plain MAC authentication?
Nick Lowe
nick.lowe at gmail.com
Mon Jan 5 21:41:51 CET 2015
Again,
On Mon, Jan 5, 2015 at 8:17 PM, Marki <jm+freeradiususer at roth.lu> wrote:
>
> In fact the switches correctly react to an Access-Accept or Access-Reject,
> but don't set the VLAN correctly without EAP.
>
I consider this a bug as there should be a separation of concerns here. It
is totally unnecessary and a layering violation to couple to EAP.
>
> In fact I have a call open with Cisco about this, and it would now be great
> if I had some strong arguments why using EAP here is just sick, or why some
> things only work with EAP while the rest also works out-of-the-box.
>
I don't have a problem with EAP being used for MAC auth. A NAS could, for
example, use a fixed, constant username and password to perform MAC address
authentication, only passing the MAC address in the Calling-Station-Id,
instructing that this value should be authenticated using the Service-Type
of Call-Check.
This is useful as it means you can use a single directory account for MAC
auth without having to mess around.
I do want to see Cisco implement and support a fixed, constant username and
password authentication for MAB in a future IOS release. (As an option.)
If a Service-Type is missing, this is a bug where other authentication
types are supported as it becomes awkward, hackish and potentially
unreliable to discriminate between the type of service being used by a
client. It becomes a broken NAS at this point.
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150105/a786c863/attachment-0001.html>
More information about the Freeradius-Users
mailing list