MAC authentication with free radius

 in Networking by

MAC IDs can be used as an alternate authentication. On most of the vendors LAN switches, it is possible to use MAC authentication even 802.1x port based authentication is enabled on the same physical port. But Unauthenticated-VID can only configurable for MAC authentication most of the time. In case of a successful authentication for a 802.1x supplicant, supplicant would be assigned to its own VLAN, but if the supplicant does not support 802.1x, after 30-60 seconds of delay MAC authentication can be triggered according to vendors implementation.

For HP Aruba switches and MAC authentication you can follow the configuration steps below:

raddb/modules/file

files authorized_macs {

key = “%{Calling-Station-ID}”

usersfile = ${confdir}/authorized_macs

compat = no

}

raddb/authorized_macs

00-01-02-03-04-05

00-01-02-03-04-06

 

raddb/sites-enabled/default

authorize {

preprocess

if (!EAP-Message) {

authorized_macs

if (!ok) {

reject

}

else {

update control {

Auth-Type := Accept

}

}

}

else {

# normal FreeRadius virtual server config goes here e.g.

eap

}

}

post-auth {

if (“%{User-Name}” =~ /00-01-02/i) {

update-reply {

# VLAN_ID for tagged frames <0x31><000><VLANID> , in this case VLAN 50 or 0x32

# 0x31000032 = 822083634

HP-Egress-VLANID = 822083634

}

}

}

Leave a comment

Your email address will not be published.