Mailing List Archive

Hello,

what you want to do is on your Radius backend, have a database of all known machines mac addresses.

The switch will try and do macauth first, then on a successful database lookup (ie, the machine *can* do dot1x) send
back a radius *failed* request. This will force the switch to initiate dot1x and negotiate a succeed reponse.
Obviously, for no dot1x able machines, it will send back an radius accept.

This works very well - you are lucky Extreme switches are smart and by default will try mac first *and* then try dot1x.

I'd suggest creating a separate printer VLAN, or mac authed vlan, as obviously their (validity)security is reduced to a
spoofable mac address to gain access to the network. This also is where Extremes private VLANS comes in handy too.

Regards,
Kerry.



On 29/10/10 22:22, Youssef Ghorbal wrote:
> Hello,
>
> I want to deploy 802.1x authentication for network hosts that support
> it. I managed to make 802.1x to work on the switch.
> ...
> # enable netlogin port x dot1x
> ...
>
> For hosts that does not support 802.1x authentification (printers)
> mac authentification will be used. I managed to make the mac
> authentification to work on the switch too.
> ...
> # enable netlogin port y mac
> ...
>
> The problem is that I don't know on which port their will be printers
> and on which ones their will be hosts. It seems that the port can be
> put on a dual mode :
> # enable netlogin port z dot1x mac
>
> I can't find how this dual mode is supposed to work. It will do both
> authentifications and "OR" the result ?
> How can I do to make it work that way ? In that way I can only add
> printers "mac" accounts on my Radius and I'm sure that only printers
> get authenticated using the "mac" facility.
>
> Thank you for your help.
>
> Youssef Ghorbal
> _______________________________________________
> extreme-nsp mailing list
> extreme-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/extreme-nsp

--
.---------------------------------------.
.- Kerry Milestone --- Networks Team -.
.- The Wellcome Trust Sanger Institute -.
.- -.
.- km4@sanger.ac.uk -.
.- +44 (0)1223 834244 x2320 -.
-----------------------------------------


--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

On Mon, Nov 1, 2010 at 11:08 AM, Kerry Milestone <km4@sanger.ac.uk> wrote:
> Hello,
>
> what you want to do is on your Radius backend, have a database of all known
> machines mac addresses.

Even those that can do 802.1x authentification ?

> The switch will try and do macauth first, then on a successful database
> lookup (ie, the machine *can* do dot1x) send back a radius *failed* request.
>  This will force the switch to initiate dot1x and negotiate a succeed
> reponse. Obviously, for no dot1x able machines, it will send back an radius
> accept.

I did'nt get the logic here. What I did'nt understand is how does it
happen that a "successful database lookup" will send back a "failed"
request ?
Is this behavior/logic is documented somewhere ?

> This works very well - you are lucky Extreme switches are smart and by
> default will try mac first *and* then try dot1x.

I'm counting on the "smartness" of the switch indeed.

> I'd suggest creating a separate printer VLAN, or mac authed vlan, as
> obviously their (validity)security is reduced to a spoofable mac address to
> gain access to the network.  This also is where Extremes private VLANS comes
> in handy too.

In fact, mac authed equipements will be in a separate vlan.

Appriciate your help :)

Youssef Ghorbal

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

On 01/11/10 12:52, Youssef Ghorbal wrote:
> On Mon, Nov 1, 2010 at 11:08 AM, Kerry Milestone<km4@sanger.ac.uk> wrote:
>> Hello,
>>
>> what you want to do is on your Radius backend, have a database of all known
>> machines mac addresses.
>
> Even those that can do 802.1x authentification ?

Well, you may as well create an inventory while you are at it :D You can then keep track also of where every machine
is coming from and other things which may be useful. The Radius netlogin request contains quite a bit of useful
information.

>
>> The switch will try and do macauth first, then on a successful database
>> lookup (ie, the machine *can* do dot1x) send back a radius *failed* request.
>> This will force the switch to initiate dot1x and negotiate a succeed
>> reponse. Obviously, for no dot1x able machines, it will send back an radius
>> accept.
>
> I did'nt get the logic here. What I did'nt understand is how does it
> happen that a "successful database lookup" will send back a "failed"
> request ?
> Is this behavior/logic is documented somewhere ?

Dunno if its documented, its what works for me. bit of code, which does a lookup (ldap). If it finds a positive match
of the macaddress in question _and_ is dot1x able, then the radiator server (within lookup script) is configured to
negate and reply with the radius attribute Access-Reject, which makes the switch try another method - dot1x. If the
lookup finds a positive match in the database, and its not dot1x able, returns the radius attribute Access-Accept. If
the lookup doesn't find the macaddress, then its an unknown machine and likely not one that you want on the network, so
it will get a Access-Reject for both maclogin and dot1x login.



>
>> This works very well - you are lucky Extreme switches are smart and by
>> default will try mac first *and* then try dot1x.
>
> I'm counting on the "smartness" of the switch indeed.
>
>> I'd suggest creating a separate printer VLAN, or mac authed vlan, as
>> obviously their (validity)security is reduced to a spoofable mac address to
>> gain access to the network. This also is where Extremes private VLANS comes
>> in handy too.
>
> In fact, mac authed equipements will be in a separate vlan.

The Extreme Concepts Guide is your friend.


>
> Appriciate your help :)
>
> Youssef Ghorbal

--
.---------------------------------------.
.- Kerry Milestone --- Networks Team -.
.- The Wellcome Trust Sanger Institute -.
.- -.
.- km4@sanger.ac.uk -.
.- +44 (0)1223 834244 x2320 -.
-----------------------------------------


--
The Wellcome Trust Sanger Institute is operated by Genome Research
Limited, a charity registered in England with number 1021457 and a
company registered in England with number 2742969, whose registered
office is 215 Euston Road, London, NW1 2BE.
_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

>> I did'nt get the logic here. What I did'nt understand is how does it
>> happen that a "successful database lookup" will send back a "failed"
>> request ?
>> Is this behavior/logic is documented somewhere ?
>
> Dunno if its documented, its what works for me.  bit of code, which does a
> lookup (ldap).  If it finds a positive match of the macaddress in question
> _and_ is dot1x able, then the radiator server (within lookup script) is
> configured to negate and reply with the radius attribute Access-Reject,
> which makes the switch try another method - dot1x.  If the lookup finds a
> positive match in the database, and its not dot1x able, returns the radius
> attribute Access-Accept.  If the lookup doesn't find the macaddress, then
> its an unknown machine and likely not one that you want on the network, so
> it will get a Access-Reject for both maclogin and dot1x login.

That's more clear now ! I'll give it a shot

Thanks for your time and assistance.

Youssef Ghorbal

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp