Re: 802.1x and assigning IP address to the supllicant
iVAN G wrote: If this helps you, and your switch supports it, you can create an ip pool and let the NAS handle IP addresses. thanx will check that once i have the switches i intend to use.. one more question where I set these values in the radius configuration. client config file, or? well it depends on what you are using as backend (sql, file config etc). either way, i believe that Framed-IP-Address needs to be set to a specific value. cheers adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and assigning IP address to the supllicant
On Tue, Nov 09, 2004 at 01:39:33AM +0200, iVAN G wrote: > > > How do u do LAN 802.1x + IP leasing (dhcp,radius,supplicant) > > > > 802.1x via RADIUS. > > IP leasing via DHCP. > > > > They are configured completely independently. > ]- yeah i know :") i was asking is there a way to combine both > in a way so that the client (supplicant) can not forge the IP address That will depend on the switch's ability to only allow traffic from the authorized IP address through that port, and so it is independant of RADIUS, unless the switch expects RADIUS to tell it to enable this mode with a Vendor-Specific Attribute (VSA) of some kind. I'm assuming from this that the 802.1x-supporting switch will be the last switch before the 802.1x supplicant devices? -- Paul "TBBle" Hampson, on an alternate email client. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and assigning IP address to the supllicant
> Sorry if i misunderstood something. But i assume that you can give IP > address to the client using the radius server, in one AV pair. > > There is a special setting, (maybe 0x?) which tells the NAS to > give the authenticating client an IP address based on its own decision. > You shold check the docs, i assume there is also a 0x which > tells the NAS to let the authenticating client pick an address, and the > NAS should let it to be used. > > If this helps you, and your switch supports it, you can create an ip > pool and let the NAS handle IP addresses. > > If i remember correctly, please correct me if i don't. thanx will check that once i have the switches i intend to use.. one more question where I set these values in the radius configuration. client config file, or? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and assigning IP address to the supllicant
> > How do u do LAN 802.1x + IP leasing (dhcp,radius,supplicant) > > 802.1x via RADIUS. > IP leasing via DHCP. > > They are configured completely independently. ]- yeah i know :") i was asking is there a way to combine both in a way so that the client (supplicant) can not forge the IP address - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and assigning IP address to the supllicant
iVAN G <[EMAIL PROTECTED]> wrote: > What is the way to assign IP address,gw, dns to the supplicant ? DHCP. > On the other hand the combo DHCP-Radius seems too hard to accomplish. > (i mean secure way to set supplicant IP so that it cant be forged, > once client authenticates i.e. the switch port is open it can do > whatever he wants, set manual IP f.e.) It's what people use today. > How do u do LAN 802.1x + IP leasing (dhcp,radius,supplicant) 802.1x via RADIUS. IP leasing via DHCP. They are configured completely independently. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 802.1x and assigning IP address to the supllicant
iVAN G wrote: In the LAN world this should be the authenticator (i.e. the switch). But how this can be done...based on the ip of the Authenticator, VLANID or what.. [...] How do u do LAN 802.1x + IP leasing (dhcp,radius,supplicant) Sorry if i misunderstood something. But i assume that you can give IP address to the client using the radius server, in one AV pair. There is a special setting, (maybe 0x?) which tells the NAS to give the authenticating client an IP address based on its own decision. You shold check the docs, i assume there is also a 0x which tells the NAS to let the authenticating client pick an address, and the NAS should let it to be used. If this helps you, and your switch supports it, you can create an ip pool and let the NAS handle IP addresses. If i remember correctly, please correct me if i don't. cheers adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x and assigning IP address to the supllicant
hi, What is the way to assign IP address,gw, dns to the supplicant ? The whole problem is that there is no secure way or I dont know such, to assign IP address to the supplicant in such a way that there is no way to forge IP address. MAC bassed approach is flawed 'cause it becomes harder to track/reconfigure the user every time he changes his ethernet card or spoof the MAC. The only almost good solution is some similar way I use in my DOCSIS network i.e. assign IP address based on the MAC of the cable-modem. In the LAN world this should be the authenticator (i.e. the switch). But how this can be done...based on the ip of the Authenticator, VLANID or what.. On the other hand the combo DHCP-Radius seems too hard to accomplish. (i mean secure way to set supplicant IP so that it cant be forged, once client authenticates i.e. the switch port is open it can do whatever he wants, set manual IP f.e.) How do u do LAN 802.1x + IP leasing (dhcp,radius,supplicant) any ideas.. or at least link to further reading... around 100 pages already printed..;") I'm not talking for WLAN here but for pure LAN. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html