12-13-2011 06:41 AM
How does Juniper UAC differentiate the radius request for user authenticaion and/or mac authentication.
What parameters does the radius request have that the UAC decides to use the MAC authentication Realm ?
I am trying to use a Mac filter with a Cisco WLC, but the request keeps on coming through as a user authentication raquest, and I would prefer that the UAC handles this as a Mac authentication raquest.
12-13-2011 10:34 PM
When a device connects to a switch, the switch forwards the MAC address to the IC Series device as the login credential. The IC Series device RADIUS server consults the authentication server (either a local database or an external LDAP server) and allows or denies access to the device based on whether there is a matching entry.
The IC Series device supports several formats for MAC address credentials, including no-delimiter 003048436665, single dash 003048-436665, multidash 00-30-48-43-66-65, and multicolon 00:30:48:43:66:65.
Some switches uses CHAP and EAP-MD5-Challenge protocols for MAC address authentication with the username,the MAC address.
Hope this helps
12-13-2011 11:49 PM
I understand the process you describe above, but how does the UAC decide to use the MAc authentication Realm for the location group the switch is in ?
12-14-2011 12:11 AM
Adding to what Ashish said..
The condition is that the incoming radius request should contain both User-Name and User-Password attribute with value as Mac-Address of the endpoint.
If the above condition is not met, you can see below log message in Radius troubleshooting log file,
"MAC-based authentication failed. This may be a non-MAC-based login."
Note: You should have Mac Auth realm, MAC Auth server/LDAP, Role mapping configured.
12-14-2011 12:27 AM
MAC Auth requires,
- User Name is a mac address
- Password matches Username
- Protocol : PAP, CHAP, MSCHAP, MSCHAPv2, EAP-MSCHAP-Challenge, EAP-MSCHAPv2.
12-21-2011 02:55 AM
Thank you for this valuable information is there any requirements for the Radius Access-Request Message ?
For a switch is see the message is service-type Login-User and the UAC processes this as a Macuauth.
Coming form the Cisco WLC the message is service-type Call-Check and this is not processed as Macauth.
12-21-2011 03:53 AM
Service-Type with value Call-Check should not be an issue as long as you meet the requirements that we have provided earlier. And for your information, I did test with service-type as call-check, IC processes the request without any issue.
Can you attach tcp-dump and radius troubleshooting logs?