Port/mac/IP authentication, authorization, auditing. Is it possible ?

jm+freeradiususer at roth.lu jm+freeradiususer at roth.lu
Sun Jun 9 15:32:27 CEST 2019

On 6/9/2019 2:42 PM, CpServiceSPb wrote:
> сб, 1 июн. 2019 г. в 21:57, CpServiceSPb <cpservicespb at gmail.com>:
>> Is it possible by default or by using additional modules to authentice,
>> authorize devices plugged to managed switch not only by mac, btu also by
>> mac/ip or port/mac/ip, especially for statically assigned devices ?
>> You can generally authenticate by MAC, but not by IP.  RADIUS is about
>> network access.  And the device doesn't have an IP until after it's been
>> given network access.
>>    Look at the debug output: radiusd -X.
>>    Then, see which attributes are in the input packet.  Those attributes
>> are the ones that you can use for authorization / authentication checks.
>>    Alan DeKok.
> You are not quite right.
> Just imagine.
> There is managed (supporting Radius) switch with some free not used RJ45
> cords.
> Once some visitor comes with his/her laptop and plugs free cord to its
> laptop ethernet connector.
> So we have wired client.
> But that's not all. I talk about stacially assigned IP for the device.
> His/her laptop is statically assigned IP/mask/gate/dns. That is device has b
> esides mac and IP.
> So, device send first packets to the switch.
> Switch examine the packet for mac and for IP, yes it engage L2 and L3.
> And collect port #, mac and IP, if any, wrap it to a unicast packet and
> send to Radius server.
> Radius server look through its own DB for port-mac-IP trinity existence.
> And if it is any, Radius send out (reply) to th switch to alllow the deice
> acces to a network, if Radius ddon' t find occurance it send out command to
> the swithc to deny to very device access to network via the port.
> If there is no IP at a firtst packet, switch examine port and mac only, and
> send the data to Radius and searching and makig of a decision to allow or
> grant acces to the network is made by couple of port=mac.
> It is in a case of dynamically assigned IP for example.

It seems you are not grasping the concepts here. (see also 

The authentication process involves two elements:
1) a client (the NAS = Network Access Server) which in your case is your 
2) an authentication server, in this case a Radius server, for example 

Simplistically speaking, the server is fed some data, looks at it, 
somehow processes it and replies with a "yes" or a "no".

What Alan was trying to explain to you: The server can only act on the 
data it is given.

You are asking the wrong people here. Go ask your switch vendor to send 
an IP address as part of the authentication. Please make sure to forward 
a copy of their response to this list.

BTW for dynamically assigned IP address an option is to use DHCP 
snooping on the switch. That will make sure the MAC/IP tuple must match.

More information about the Freeradius-Users mailing list