MAC-based authentication

MAC-based authentication

Post by Thomas Wil » Sun, 21 Jan 2007 21:09:42

Hi group,

we configured an HP ProCurve 2650 switch with MAC-based authetication. In
that case the switch askes a RADIUS server into which VLAN belongs the
given MAC address. The switch conveys the MAC address as announcing
information, both for the user name and for the password. From the RADIUS
server the switch gets as answer, in which VLAN the Client belongs,
respectively in which VLAN an unauthorized client belongs. (PCs, IP-Phones

In our testenvironment the RADIUS server is a UNIX based freeRADIUS but for
other applications we need a AD integrated RADIUS, so that we want to use
directly a Microsoft IAS, running on a DC. We found so far however no
HOWTO, which describes the MAC based authentication with a Microsoft IAS
server. Is that generally possible?

The second problem is, that at least one RADIUS server is a pretty good
SPOF. In case of the FreeRADIUS installation we did not find a procedure to
synchronize the RADIUS server automatically with a second one, except a
scheduled running rsync task. Is there a feature for this problem
implemented in the IAS?

Thanks for your attention

Bye Tom
"One good Whiskey a day, keeps the doctor away"

MAC-based authentication

Post by cnQtc2V » Wed, 24 Jan 2007 04:26:06

Hello Tom,

MAC authentication can be done using a custom IAS extension.
I've written such an extension for the company I'm working for.
There is also a whitepaper available (currently only in German) describing
the background. If you are interested in, you can search for
"mac authentication whitepaper" on the web. You can also mail
me privately [discuss(at)].

Regarding your second problem: there is no synchronization built into
IAS. But that can be done using simple batch scripts.




MAC-based authentication

Post by Thomas Wil » Fri, 26 Jan 2007 05:12:24

Hi Sebastian,

I found the whitepaper, thanks for this tip. I work it out as soon as

And German language is really great, its a home field advantage ;-)
Thanks also for your email address...

Never mind! This is only a marginal problem...

Bye Tom
"Manches Gewissen ist nur rein, weil es nie benutzt wurde" (Robert Lembke)