Extreme Networks

M_Nees · ‎02-04-2015

Is it possible the restrict and limit an sucessfull 802.1x PEAP (Username / Password) Authentication to the first device only within NAC Gateway?

During several customer projects such a feature would be very useful.

Regards

Chacko · ‎10-19-2017

Hi Matthias,

stupid question:
Wouldn't your requirement be satisfied with "configure netlogin ports X allowed-users "?
Or did i misunderstand your need?

Best Regards
Chacko

M_Nees · ‎10-19-2017

Sometimes i have several clients on one port (= desktop switch). What i avoid is that a user is using his own username + pw (of windows) several times for several devices.

Limiting the number of clients per switch port has therefore negative effects and do not address my concern directly.

Regards

Matthew_Hum · ‎07-12-2017

You can accomplish this by chaining FreeRADIUS servers. NAC would then send to an upstream FreeRADIUS server that uses the perl_rlm module to run a call back to the NAC DB to query for existing entries to then deny or proxy the RADIUS request.
If you are using a local DB, then enable the simultaneous-use variable and set it to 1, for only one system at a time. I believe you will need radius-accounting for this to work as well.

Edit: This was originally written for wired, and I have removed the wired portion as it would not work for wireless.

Matthew_Hum · ‎07-12-2017

I don't see why it wouldn't be usable in a customer environment.

it can't take that long. maybe an hour or two? depends on how good you are I guess. you can use the NAC API for the query.

Extreme Networks

WLAN 802.1x PEAP Authentication should work with first device only

WLAN 802.1x PEAP Authentication should work with first device only