Port/mac/IP authentication, authorization, auditing. Is it possible ?

Alan DeKok aland at deployingradius.com
Sun Jun 9 18:20:55 CEST 2019


On Jun 9, 2019, at 11:15 AM, CpServiceSPb <cpservicespb at gmail.com> wrote:
> And I provided the exact situation when ___device has an IP__ .
> 
> At least at itself.

  You're replying as if I didn't understand your message.  I did understand it, I just think it's not relevant.

  Here's your choice.  You can:

a) learn from other people

b) insist that you know better.

  One approach is productive.  The other approach is unproductive.

> It is not received from dhcp server after checking access rights to a network.
> 
> It is set up manually before plugging to the switch.

  That IP is entirely useless and irrelevant.  It doesn't matter what is on the end system.  The rest of the network will ignore it.

> I supposed that switches wrap usually  only macs, may be ports to
> uncast packet sent to Radius server.
> 
> As a dhcp relay.

  Or, via MAC address authentication.  Which is common on many switches.

  If you have some experience with network equipment, you would know that switches don't send IP address information in RADIUS packets for MAC auth.

> But initially my quiestion was about ability to extend functionality
> of Radius by using some modules and of some switches to __limit /
> manage access__ to a network at
> access level witch on hybrid assigning IP environment - dymanically
> and statically but with controlling and making if a decision from
> server not switch side.

  Sure.  Replace all of the switches with ones that implement your magic scheme.

> So, the quesion was is it possible by Radius (may be with some
> additional modules) or are there plans to implement it ?

  This is the FreeRADIUS list.  That means the subject of this list is FreeRADIUS.  We don't re-define how RADIUS works on this list.

  If you want to re-define RADIUS, go ahead.  But since no one will implement your magic extensions to RADIUS, they won't have any relevant to anyone.

  Again, you're arguing against people who've done this for 25 years.  All of these ideas have been thought of before.  They've been dealt with in detail.  The people doing RADIUS aren't dumb, and you haven't thought of anything new.

  Alan DeKok.





More information about the Freeradius-Users mailing list