[e-nsp] ExtremeXOS 12.x mac authentification vs 802.1x

Kerry Milestone km4 at sanger.ac.uk
Mon Nov 1 06:08:17 EDT 2010


Hello,

what you want to do is on your Radius backend, have a database of all known machines mac addresses.

The switch will try and do macauth first, then on a successful database lookup (ie, the machine *can* do dot1x) send 
back a radius *failed* request.  This will force the switch to initiate dot1x and negotiate a succeed reponse. 
Obviously, for no dot1x able machines, it will send back an radius accept.

This works very well - you are lucky Extreme switches are smart and by default will try mac first *and* then try dot1x.

I'd suggest creating a separate printer VLAN, or mac authed vlan, as obviously their (validity)security is reduced to a 
spoofable mac address to gain access to the network.  This also is where Extremes private VLANS comes in handy too.

Regards,
Kerry.



On 29/10/10 22:22, Youssef Ghorbal wrote:
> Hello,
>
>   I want to deploy 802.1x authentication for network hosts that support
> it. I managed to make 802.1x to work on the switch.
>   ...
>   # enable netlogin port x dot1x
>   ...
>
>   For hosts that does not support 802.1x authentification (printers)
> mac authentification will be used. I managed to make the mac
> authentification to work on the switch too.
>   ...
>   # enable netlogin port y mac
>   ...
>
>   The problem is that I don't know on which port their will be printers
> and on which ones their will be hosts. It seems that the port can be
> put on a dual mode :
>   # enable netlogin port z dot1x mac
>
>   I can't find how this dual mode is supposed to work. It will do both
> authentifications and "OR" the result ?
>   How can I do to make it work that way ? In that way I can only add
> printers "mac" accounts on my Radius and I'm sure that only printers
> get authenticated using the "mac" facility.
>
> Thank you for your help.
>
> Youssef Ghorbal
> _______________________________________________
> extreme-nsp mailing list
> extreme-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/extreme-nsp

-- 
.---------------------------------------.
.- Kerry Milestone  ---  Networks Team -.
.- The Wellcome Trust Sanger Institute -.
.-                                     -.
.- km4 at sanger.ac.uk                    -.
.- +44 (0)1223 834244 x2320            -.
-----------------------------------------


-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 


More information about the extreme-nsp mailing list