FreeRadius PAP authentication for Non-EAPOL clients on Avaya 5500 switch.
jan hugo prins
jhp at jhprins.org
Sun Mar 1 23:10:50 CET 2015
I know the issues with MAC authentication. The solution Avaya gives us
is the best thing we have at the moment for these devices. At least it
locks a MAC address to a specific port on the switch and any other port
you try the MAC address on will block. And for our company is not very
big we think that the changes of anyone hijacking a MAC address on the
fixed network in one of the work area's is very small. And the problem
is on the agenda, so anything new we buy in the future will not have
this problem.
Jan Hugo
On 03/01/2015 10:37 PM, Adam Bishop wrote:
> On 1 Mar 2015, at 20:53, jan hugo prins <jhp at jhprins.org> wrote:
>> Could you tell me a solution that works where I can integrate devices
>> that don't do 802.1x in an environment where all ports need 802.1x?
> There isn't one. The issue with using the MAC as a credential is that the credentials for getting on to your network is *literally* stuck to the side of the device for everyone to read (and can be sniffed in seconds using a tap).
>
> It's worse than having open ports, as you end up believing that because you have dot1x on all edge ports you have better security, and also costs you time and money to administer.
>
> Put anything that can't do dot1x in an isolated part of the network and use something like PVLAN.
>
> Thanks,
>
> Adam Bishop
>
> gpg: 0x6609D460
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list