EXOS: RADIUS Configuration more granular

  • 0
  • 2
  • Problem
  • Updated 1 year ago
  • Not a Problem
For a current customer project i need the following EXOS functionality:

All MAC Authentication go to RADIUS Server1 and Server2
All dot1x Authentication go to RADIUS Server 3 and Server4

currently i can only determine the used RADIUS Server by the realm - management or netlogin - not the Authentication Method.
So my customer miss this functionality.

As a workaround i address Server1 (and 2) for all methods and do a forwarding an this server at back-end to server 3/4 for dot1x.
This is working - but doing this "routing" direct on the switch would be prefered by my customer.

Additionally this will help in some troubleshooting situations.

Regards,
Matthias
 
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb

Posted 1 year ago

  • 0
  • 2
Photo of Matthew Hum

Matthew Hum

  • 434 Points 250 badge 2x thumb
You can do this with a separate FreeRADIUS server to use as a proxy. in the realms configuration you would simply put a regex for the MAC addresses to instruct it to forward to your MAC address radius servers, and then specific domains (or even DEFAULT) for the 802.1X sessions. This is also a way to segregate different domains to different RADIUS servers.

If you already had freeradius servers you can chain them, and pull out, say, the 802.1X sessions to proxy to an upstream server and then auth the MAC auth sessions on the existing server. (this is exactly how NAC does it when you choose auth MAC locally).