WLAN 802.1x PEAP Authentication should work with first device only

  • 2
  • Idea
  • Updated 11 months ago
Is it possible the restrict and limit an sucessfull 802.1x PEAP (Username / Password) Authentication to the first device only within NAC Gateway?
 
During several customer projects such a feature would be very useful.

Regards
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb

Posted 4 years ago

  • 2
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,036 Points 20k badge 2x thumb
Do you mean one concurrent active client with this username/password or the first client that ever uses that username/password....
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Both szenarios are valid - if i have to choose between the two - one concurrent active client would more repesent customers needs.
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
does nobody have a solution or maybe same requirements ?

i have several customer projects where this is a needed feature. But my recent state is that NAC Gateway have no feature that makes this possible.

If someone have same requirements, please post this! I hope if more customers requested this possibility enterasys/extreme will think about implementing this ...
Photo of Brian Anderson

Brian Anderson

  • 626 Points 500 badge 2x thumb
You could do a Authenticated Registration portal, but it wouldn't be a .1x ssid.  But you could limit the user to have only one device registered. 
Photo of Michael Kirchner

Michael Kirchner

  • 1,846 Points 1k badge 2x thumb
Same request from me
Photo of Tony Dann

Tony Dann

  • 62 Points
This is something we are needing, working in education we need to be able to limit kids to one device.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 49,036 Points 20k badge 2x thumb
Any update on this "function" ?

As far as my Google skills go I'm not able to find a solution for it using either ExtremeControl or Windows NPS.
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
feature is still needed ....
Photo of Drew C.

Drew C., Community Manager

  • 39,516 Points 20k badge 2x thumb
I'll send this thread along to PLM for them to work on the feature request.
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Any feedback ?
Photo of Matthew Hum

Matthew Hum

  • 434 Points 250 badge 2x thumb
You can accomplish this by chaining FreeRADIUS servers. NAC would then send to an upstream FreeRADIUS server that uses the perl_rlm module to run a call back to the NAC DB to query for existing entries to then deny or proxy the RADIUS request.
If you are using a local DB, then enable the simultaneous-use variable and set it to 1, for only one system at a time. I believe you will need radius-accounting for this to work as well. 

Edit: This was originally written for wired, and I have removed the wired portion as it would not work for wireless. 
(Edited)
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Cool solution (but not useable normal customer environment)!

How many time do you spend to write/configure the perl_rlm module ? How do you realize the NAC DB query ?

Regards,
Matthias 
Photo of Matthew Hum

Matthew Hum

  • 434 Points 250 badge 2x thumb
I don't see why it wouldn't be usable in a customer environment.

it can't take that long. maybe an hour or two? depends on how good you are I guess. you can use the NAC API for the query.
Photo of Chacko

Chacko

  • 1,206 Points 1k badge 2x thumb
Hi Matthias,

stupid question:
Wouldn't your requirement be satisfied with "configure netlogin ports X allowed-users <number>"?
Or did i misunderstand your need?

Best Regards
Chacko
Photo of M.Nees

M.Nees, Embassador

  • 9,414 Points 5k badge 2x thumb
Sometimes  i have several clients on one port (= desktop switch). What i avoid is that a user is using his own username + pw (of windows) several times for several devices.

Limiting the number of clients per switch port has therefore negative effects and do not address my concern directly.

Regards