[e-nsp] ExtremeXOS 12.x mac authentification vs 802.1x

Kerry Milestone km4 at sanger.ac.uk
Mon Nov 1 09:59:16 EDT 2010 


On 01/11/10 12:52, Youssef Ghorbal wrote:
> On Mon, Nov 1, 2010 at 11:08 AM, Kerry Milestone<km4 at sanger.ac.uk>  wrote:
>> Hello,
>>
>> what you want to do is on your Radius backend, have a database of all known
>> machines mac addresses.
>
> Even those that can do 802.1x authentification ?

Well, you may as well create an inventory while you are at it  :D  You can then keep track also of where every machine 
is coming from and other things which may be useful.  The Radius netlogin request contains quite a bit of useful 
information.

>
>> The switch will try and do macauth first, then on a successful database
>> lookup (ie, the machine *can* do dot1x) send back a radius *failed* request.
>>   This will force the switch to initiate dot1x and negotiate a succeed
>> reponse. Obviously, for no dot1x able machines, it will send back an radius
>> accept.
>
> I did'nt get the logic here. What I did'nt understand is how does it
> happen that a "successful database lookup" will send back a "failed"
> request ?
> Is this behavior/logic is documented somewhere ?

Dunno if its documented, its what works for me.  bit of code, which does a lookup (ldap).  If it finds a positive match 
of the macaddress in question _and_ is dot1x able, then the radiator server (within lookup script) is configured to 
negate and reply with the radius attribute Access-Reject, which makes the switch try another method - dot1x.  If the 
lookup finds a positive match in the database, and its not dot1x able, returns the radius attribute Access-Accept.  If 
the lookup doesn't find the macaddress, then its an unknown machine and likely not one that you want on the network, so 
it will get a Access-Reject for both maclogin and dot1x login.



>
>> This works very well - you are lucky Extreme switches are smart and by
>> default will try mac first *and* then try dot1x.
>
> I'm counting on the "smartness" of the switch indeed.
>
>> I'd suggest creating a separate printer VLAN, or mac authed vlan, as
>> obviously their (validity)security is reduced to a spoofable mac address to
>> gain access to the network.  This also is where Extremes private VLANS comes
>> in handy too.
>
> In fact, mac authed equipements will be in a separate vlan.

The Extreme Concepts Guide is your friend.


>
> Appriciate your help :)
>
> Youssef Ghorbal

-- 
.---------------------------------------.
.- Kerry Milestone  ---  Networks Team -.
.- The Wellcome Trust Sanger Institute -.
.-                                     -.
.- km4 at sanger.ac.uk                    -.
.- +44 (0)1223 834244 x2320            -.
-----------------------------------------


-- 
 The Wellcome Trust Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE.

More information about the extreme-nsp mailing list