[e-nsp] ExtremeXOS 12.x mac authentification vs 802.1x

Youssef Ghorbal youssef.ghorbal at gmail.com
Mon Nov 1 08:52:52 EDT 2010


On Mon, Nov 1, 2010 at 11:08 AM, Kerry Milestone <km4 at sanger.ac.uk> wrote:
> Hello,
>
> what you want to do is on your Radius backend, have a database of all known
> machines mac addresses.

Even those that can do 802.1x authentification ?

> The switch will try and do macauth first, then on a successful database
> lookup (ie, the machine *can* do dot1x) send back a radius *failed* request.
>  This will force the switch to initiate dot1x and negotiate a succeed
> reponse. Obviously, for no dot1x able machines, it will send back an radius
> accept.

I did'nt get the logic here. What I did'nt understand is how does it
happen that a "successful database lookup" will send back a "failed"
request ?
Is this behavior/logic is documented somewhere ?

> This works very well - you are lucky Extreme switches are smart and by
> default will try mac first *and* then try dot1x.

I'm counting on the "smartness" of the switch indeed.

> I'd suggest creating a separate printer VLAN, or mac authed vlan, as
> obviously their (validity)security is reduced to a spoofable mac address to
> gain access to the network.  This also is where Extremes private VLANS comes
> in handy too.

In fact, mac authed equipements will be in a separate vlan.

Appriciate your help :)

Youssef Ghorbal



More information about the extreme-nsp mailing list