Hello Leonardo, I think It won’t help much adding a delay in the radius for mac authentication.
https://www.alliedtelesis.com/sites/default/files/documents/feature-guides/aaa_and_port_authentication_feature_overview_guide.pdf <https://www.alliedtelesis.com/sites/default/files/documents/feature-guides/aaa_and_port_authentication_feature_overview_guide.pdf> Two-step authentication is supported on the devices that have switch ports. When two-step authentication is enabled the sequence is MAC authentication first followed by 802.1X authentication. Having mac authentication first and then 802.1x is no problem, if the 802.1x is enabled it will override the access given by mac authentication and it would work. HP does the same thing for some switches and it works. Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Jul 1, 2020, at 4:31 AM, Leonardo Secci via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello Everyone, > > I have a question about approaching a common issue with some switch in my > environment. > > All Authenticators must be able to authorize ports or by 802.1x based on AD > or > by MAC-AUTH. > > With Cisco I choose to set order "dot1x mab" so if a wired user want to > access > with a domain's credential can simple unplug the cable, enable 802.1x and > replug; now the SO show the popup to finalize authorization. > > Unfortunatly other switchs like AlliedTelesis x510 doesn't have a mode to set > order and MAC-AUTH is always the first so if the SO of the device store > domain's credentials the 802.1x succeded otherwise no popup is showed and > port > is authorized on registration VLAN. > > In the mailing list I found a post dating back to June 2013 with subject "Add > .5 second delay for mac-auth?" in which it is proposed to insert a delay in > the RADIUS response for MAC-AUTH. > > In your opinion what is the best approach to follow? > > Thank you > Best regards > > -- > -------------------------------------------------------------------------- > Leonardo Secci > mailto:leonardo.se...@unirel.com > > > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
