cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

WLAN 802.1x PEAP Authentication should work with first device only

WLAN 802.1x PEAP Authentication should work with first device only

M_Nees
Contributor III
Is it possible the restrict and limit an sucessfull 802.1x PEAP (Username / Password) Authentication to the first device only within NAC Gateway?

During several customer projects such a feature would be very useful.

Regards
15 REPLIES 15

Chacko
Contributor
Hi Matthias,

stupid question:
Wouldn't your requirement be satisfied with "configure netlogin ports X allowed-users "?
Or did i misunderstand your need?

Best Regards
Chacko

M_Nees
Contributor III
Sometimes i have several clients on one port (= desktop switch). What i avoid is that a user is using his own username + pw (of windows) several times for several devices.

Limiting the number of clients per switch port has therefore negative effects and do not address my concern directly.

Regards

Matthew_Hum
Contributor
You can accomplish this by chaining FreeRADIUS servers. NAC would then send to an upstream FreeRADIUS server that uses the perl_rlm module to run a call back to the NAC DB to query for existing entries to then deny or proxy the RADIUS request.
If you are using a local DB, then enable the simultaneous-use variable and set it to 1, for only one system at a time. I believe you will need radius-accounting for this to work as well.

Edit: This was originally written for wired, and I have removed the wired portion as it would not work for wireless.

I don't see why it wouldn't be usable in a customer environment.

it can't take that long. maybe an hour or two? depends on how good you are I guess. you can use the NAC API for the query.
GTM-P2G8KFN