Port/mac/IP authentication, authorization, auditing. Is it possible ?

CpServiceSPb cpservicespb at gmail.com
Sun Jun 9 14:42:18 CEST 2019

сб, 1 июн. 2019 г. в 21:57, CpServiceSPb <cpservicespb at gmail.com>:

> Is it possible by default or by using additional modules to authentice,
> authorize devices plugged to managed switch not only by mac, btu also by
> mac/ip or port/mac/ip, especially for statically assigned devices ?
> You can generally authenticate by MAC, but not by IP.  RADIUS is about
> network access.  And the device doesn't have an IP until after it's been
> given network access.
>   Look at the debug output: radiusd -X.
>   Then, see which attributes are in the input packet.  Those attributes
> are the ones that you can use for authorization / authentication checks.
>   Alan DeKok.
You are not quite right.
Just imagine.
There is managed (supporting Radius) switch with some free not used RJ45
Once some visitor comes with his/her laptop and plugs free cord to its
laptop ethernet connector.
So we have wired client.
But that's not all. I talk about stacially assigned IP for the device.
His/her laptop is statically assigned IP/mask/gate/dns. That is device has b
esides mac and IP.
So, device send first packets to the switch.
Switch examine the packet for mac and for IP, yes it engage L2 and L3.
And collect port #, mac and IP, if any, wrap it to a unicast packet and
send to Radius server.
Radius server look through its own DB for port-mac-IP trinity existence.
And if it is any, Radius send out (reply) to th switch to alllow the deice
acces to a network, if Radius ddon' t find occurance it send out command to
the swithc to deny to very device access to network via the port.

If there is no IP at a firtst packet, switch examine port and mac only, and
send the data to Radius and searching and makig of a decision to allow or
grant acces to the network is made by couple of port=mac.
It is in a case of dynamically assigned IP for example.

More information about the Freeradius-Users mailing list