WLAN 802.1x PEAP Authentication should work with first device only


Userlevel 6
Is it possible the restrict and limit an sucessfull 802.1x PEAP (Username / Password) Authentication to the first device only within NAC Gateway?

During several customer projects such a feature would be very useful.

Regards

15 replies

Userlevel 7
Do you mean one concurrent active client with this username/password or the first client that ever uses that username/password....
Userlevel 6
Both szenarios are valid - if i have to choose between the two - one concurrent active client would more repesent customers needs.
Userlevel 6
does nobody have a solution or maybe same requirements ?

i have several customer projects where this is a needed feature. But my recent state is that NAC Gateway have no feature that makes this possible.

If someone have same requirements, please post this! I hope if more customers requested this possibility enterasys/extreme will think about implementing this ...
Userlevel 2
You could do a Authenticated Registration portal, but it wouldn't be a .1x ssid. But you could limit the user to have only one device registered.
Userlevel 3
Same request from me
This is something we are needing, working in education we need to be able to limit kids to one device.
Userlevel 7
Any update on this "function" ?

As far as my Google skills go I'm not able to find a solution for it using either ExtremeControl or Windows NPS.
Userlevel 6
feature is still needed ....
Userlevel 7
I'll send this thread along to PLM for them to work on the feature request.
Userlevel 6
I'll send this thread along to PLM for them to work on the feature request.
Any feedback ?
Userlevel 1
You can accomplish this by chaining FreeRADIUS servers. NAC would then send to an upstream FreeRADIUS server that uses the perl_rlm module to run a call back to the NAC DB to query for existing entries to then deny or proxy the RADIUS request.
If you are using a local DB, then enable the simultaneous-use variable and set it to 1, for only one system at a time. I believe you will need radius-accounting for this to work as well.

Edit: This was originally written for wired, and I have removed the wired portion as it would not work for wireless.
Userlevel 6
You can accomplish this by chaining FreeRADIUS servers. NAC would then send to an upstream FreeRADIUS server that uses the perl_rlm module to run a call back to the NAC DB to query for existing entries to then deny or proxy the RADIUS request.
If you are using a local DB, then enable the simultaneous-use variable and set it to 1, for only one system at a time. I believe you will need radius-accounting for this to work as well.

Edit: This was originally written for wired, and I have removed the wired portion as it would not work for wireless.
Cool solution (but not useable normal customer environment)!

How many time do you spend to write/configure the perl_rlm module ? How do you realize the NAC DB query ?

Regards,
Matthias
Userlevel 1
You can accomplish this by chaining FreeRADIUS servers. NAC would then send to an upstream FreeRADIUS server that uses the perl_rlm module to run a call back to the NAC DB to query for existing entries to then deny or proxy the RADIUS request.
If you are using a local DB, then enable the simultaneous-use variable and set it to 1, for only one system at a time. I believe you will need radius-accounting for this to work as well.

Edit: This was originally written for wired, and I have removed the wired portion as it would not work for wireless.
I don't see why it wouldn't be usable in a customer environment.

it can't take that long. maybe an hour or two? depends on how good you are I guess. you can use the NAC API for the query.
Userlevel 2
Hi Matthias,

stupid question:
Wouldn't your requirement be satisfied with "configure netlogin ports X allowed-users "?
Or did i misunderstand your need?

Best Regards
Chacko
Userlevel 6
Hi Matthias,

stupid question:
Wouldn't your requirement be satisfied with "configure netlogin ports X allowed-users "?
Or did i misunderstand your need?

Best Regards
Chacko
Sometimes i have several clients on one port (= desktop switch). What i avoid is that a user is using his own username + pw (of windows) several times for several devices.

Limiting the number of clients per switch port has therefore negative effects and do not address my concern directly.

Regards

Reply