[e-nsp] ExtremeXOS 12.x mac authentification vs 802.1x
Youssef Ghorbal
youssef.ghorbal at gmail.com
Mon Nov 1 08:52:52 EDT 2010
On Mon, Nov 1, 2010 at 11:08 AM, Kerry Milestone <km4 at sanger.ac.uk> wrote:
> Hello,
>
> what you want to do is on your Radius backend, have a database of all known
> machines mac addresses.
Even those that can do 802.1x authentification ?
> The switch will try and do macauth first, then on a successful database
> lookup (ie, the machine *can* do dot1x) send back a radius *failed* request.
> This will force the switch to initiate dot1x and negotiate a succeed
> reponse. Obviously, for no dot1x able machines, it will send back an radius
> accept.
I did'nt get the logic here. What I did'nt understand is how does it
happen that a "successful database lookup" will send back a "failed"
request ?
Is this behavior/logic is documented somewhere ?
> This works very well - you are lucky Extreme switches are smart and by
> default will try mac first *and* then try dot1x.
I'm counting on the "smartness" of the switch indeed.
> I'd suggest creating a separate printer VLAN, or mac authed vlan, as
> obviously their (validity)security is reduced to a spoofable mac address to
> gain access to the network. This also is where Extremes private VLANS comes
> in handy too.
In fact, mac authed equipements will be in a separate vlan.
Appriciate your help :)
Youssef Ghorbal
More information about the extreme-nsp
mailing list