Hi Alan, Thank you very much for quick response! Actually you are right. The password is in MD5 hash, not in clear text! I may not be able to use the guest VLAN (the vlan the device will be put in after failed or timeout 802.1x request) because I need to use this vlan for some other devices! For these 00a008 device, my real purpose actually is NOT to "Authenticate" them but rather assign them to a specific VLAN by using dynamic vlan assignment feature of the switch. I have figured it out and tested it. I just have to put in special attributes under each user (in this case the MAC of the device) in the users file. If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case? BTW I'd rather not to use the SQL because I know pretty much nothing about it lol I appreciate your advice! Thank you! Difan ________________________________
From: freeradius-users-bounces+difan.zhao=guest-tek....@lists.freeradius.org on behalf of Alan Buxey Sent: Sat 12/19/2009 2:34 AM To: FreeRadius users mailing list Subject: Re: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses?? Hi, > The way how it works is that (I figured it out by running debug on the switch > and by using wireshark), if the supplicant device doesn't support 802.1x, the > switch (172.17.254.100) sends a access request to the freeradius server > (172.17.1.1) with username and password both are the MAC address of the > device! correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote "00a0080806bd" (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd) by the way, depending on what IOS you've got, this will change - the new IOS and this can be configured too on some previous versions - will send the password int he form of the MD5 of the MAC address! > That brings my dilemma! I have like 200 devices like this. I don't want to > edit my users file with each of the MAC address as the UN/PW. Is there an > easy way to write a script like thing to include all of them? The mac > addresses are all start with "00:a0:08". I want a logic like: many ways to do this - you certainly dont need to play with the users file - you might want to eg, put them into AD/LDAP or put them into SQL. in SQL you can set User-Name Attribute Op Value 00a0080806bd Cleartext-Password := 00a0080806bd if you KNOW that the addresses are valid, then you could scrape them...alternatively, set the fail/quest VLAN to be behind a captive portal box and then the users get to see a 'login page' and when they click login, you can grab their IP address and therefore their MAC address and then insert that into SQL. just a quick idea...monday morning project. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
<<winmail.dat>>
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
