-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [EMAIL PROTECTED] wrote: >> Do they support Mac-Based Auth + 802.1X on the same port? > > In a (very) weird way. It's not mac auth + 802.1x but mac auth *in* > 802.1x (mac address is sent as user/pass - requires registry hacking on > XP). And then you can re-authenticate with username/pass. > > There is also something called mac authentication bypass for 802.1x. If > enabled switch will do mac auth if it doesn't get EAPOL packet from the > supplicant. So, in a matter of speaking, you can have mac auth and > (probably should say or - the idea is to be able to connect something > that doesn't do 802.1x, like a network printer) 802.1x on the same port. >
Yes that's how I thought it worked. I guess that's ok in some situations but it's really inflexible in others. HP ProCurve switches allow you to enable both methods of authentication together on the same port. It's a little weird how it operates, but it seems to work very well in most situations. When a device connects to the port the switch starts sending EAP Identity Request packets. If the device responds with an EAP Identity Response and successfully completes 802.1X based authentication, the port goes into an open state with the PVID set to the VLAN assigned in the Access-Accept packet. If the device does not respond to the Identity request (or fails 802.1X authentication) and starts sending non eapol frames to the port, the switch writes the src mac of the device into the User-Name field and sends a Access-Request packet to the RADIUS server. If the RADIUS server responds to the Access-Request with an Access-Accept packet and a VLAN assignment, the PVID is changed to that VLAN. If the server responds with an Access-Reject, the port either remains closed, or if you have an Unauth-Vid configured for Mac-Based auth the PVID is changed to that. If the port is in the unauth state or is authenticated via Mac-Based authentication, the switch will continue to send EAP Identity Requests. If at any point the device initiates 802.1X authentication and succeeds in authenticating, the PVID of the port will change to the one assigned in 802.1X authentication. If the device then sends an EAPOL-Logoff packet the switch will then attempt to re-authenticate the device using Mac-Based authentication. Arran - -- Arran Cudbard-Bell ([EMAIL PROTECTED]), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkktXH0ACgkQcaklux5oVKJQpQCfQi6mORqjWYIJm1vP2To8AnNJ CpAAnj9TejutfbwcxBnmETyyd2xwjIPz =qzzN -----END PGP SIGNATURE----- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
