Port/mac/IP authentication, authorization, auditing. Is it possible ?

Alan DeKok aland at deployingradius.com
Sun Jun 9 16:33:07 CEST 2019


On Jun 9, 2019, at 8:42 AM, CpServiceSPb <cpservicespb at gmail.com> wrote:
> You are not quite right.

  How nice that you know more about RADIUS than people who've been doing it for 25 years.

> Just imagine.
> There is managed (supporting Radius) switch with some free not used RJ45
> cords.
> Once some visitor comes with his/her laptop and plugs free cord to its
> laptop ethernet connector.
> So we have wired client.
> But that's not all. I talk about stacially assigned IP for the device.
> His/her laptop is statically assigned IP/mask/gate/dns. That is device has b
> esides mac and IP.

  That's not how RADIUS works.

> So, device send first packets to the switch.
> Switch examine the packet for mac and for IP, yes it engage L2 and L3.
> And collect port #, mac and IP, if any, wrap it to a unicast packet and
> send to Radius server.

  That's not how switches work.

> Radius server look through its own DB for port-mac-IP trinity existence.

  That's not how RADIUS works.

> And if it is any, Radius send out (reply) to th switch to alllow the deice
> acces to a network, if Radius ddon' t find occurance it send out command to
> the swithc to deny to very device access to network via the port.
> 
> If there is no IP at a firtst packet, switch examine port and mac only, and
> send the data to Radius and searching and makig of a decision to allow or
> grant acces to the network is made by couple of port=mac.
> It is in a case of dynamically assigned IP for example.

  Please imagine that you've completely misunderstood how RADIUS works.  And, that you're working hard to explain it to someone who's written half of the RADIUS standards.

  Alan DeKok.





More information about the Freeradius-Users mailing list