Mac authentication (Radius attributes) on Juniper ...

jbruneel_ · ‎12-13-2011

How does Juniper UAC differentiate the radius request for user authenticaion and/or mac authentication.

What parameters does the radius request have that the UAC decides to use the MAC authentication Realm ?

I am trying to use a Mac filter with a Cisco WLC, but the request keeps on coming through as a user authentication raquest, and I would prefer that the UAC handles this as a Mac authentication raquest.

apaul_ · ‎12-13-2011

Hello,

When a device connects to a switch, the switch forwards the MAC address to the IC Series device as the login credential. The IC Series device RADIUS server consults the authentication server (either a local database or an external LDAP server) and allows or denies access to the device based on whether there is a matching entry.

The IC Series device supports several formats for MAC address credentials, including no-delimiter 003048436665, single dash 003048-436665, multidash 00-30-48-43-66-65, and multicolon 00:30:48:43:66:65.

Some switches uses CHAP and EAP-MD5-Challenge protocols for MAC address authentication with the username,the MAC address.

Hope this helps

jbruneel_ · ‎12-13-2011

Hello,

I understand the process you describe above, but how does the UAC decide to use the MAc authentication Realm for the location group the switch is in ?

Raveen_ · ‎12-14-2011

Adding to what Ashish said..

The condition is that the incoming radius request should contain both User-Name and User-Password attribute with value as Mac-Address of the endpoint.

If the above condition is not met, you can see below log message in Radius troubleshooting log file,

"MAC-based authentication failed. This may be a non-MAC-based login."

Note: You should have Mac Auth realm, MAC Auth server/LDAP, Role mapping configured.

Regards,

Raveen

apaul_ · ‎12-14-2011

MAC Auth requires,

User Name is a mac address
Password matches Username
Protocol : PAP, CHAP, MSCHAP, MSCHAPv2, EAP-MSCHAP-Challenge, EAP-MSCHAPv2.

Thanks

Stanislas P_ · ‎12-20-2011

Hi,

The Authentication Realm is identified by the protocol set used

Mac authentication use PAP protocol
802.1X use EAP protocols

Regards,

Stanislas

jbruneel_ · ‎12-21-2011

Thank you for this valuable information is there any requirements for the Radius Access-Request Message ?

For a switch is see the message is service-type Login-User and the UAC processes this as a Macuauth.

Coming form the Cisco WLC the message is service-type Call-Check and this is not processed as Macauth.

Raveen_ · ‎12-21-2011

Service-Type with value Call-Check should not be an issue as long as you meet the requirements that we have provided earlier. And for your information, I did test with service-type as call-check, IC processes the request without any issue.

Can you attach tcp-dump and radius troubleshooting logs?

Regards,

Raveen

Mac authentication (Radius attributes) on Juniper UAC

Mac authentication (Radius attributes) on Juniper UAC

Re: Mac authentication (Radius attributes) on Juniper UAC

Re: Mac authentication (Radius attributes) on Juniper UAC

Re: Mac authentication (Radius attributes) on Juniper UAC

Re: Mac authentication (Radius attributes) on Juniper UAC

Re: Mac authentication (Radius attributes) on Juniper UAC

Re: Mac authentication (Radius attributes) on Juniper UAC

Re: Mac authentication (Radius attributes) on Juniper UAC