Re: MAC-auth only to AP needs a little guidance.

Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> · Fri, 08 Jun 2007 12:38:45 +0100

Giobbi Piero wrote:

Hi all.

Im just got radius with user/password to work with my firewall and i  

just love it! Now i would like to make it rock with our airport  

basestations to. I only want MAC-authentication, isearched everywhere  

but i cant find a single example for this , without EAP/TLS.

Eww airports, you know they don't support accounting or dynamic vlan 

assignments.

Generally mac auth doesn't use EAP, but instead uses plain CHAP.

Though this really varies vendor to vendor.

Our HP switches send the mac address of the calling station as the 

username and then the mac address of the calling station again as the 

chap password.

        Framed-MTU = 1480
        NAS-IP-Address = 139.184.8.16
        NAS-Identifier = "hp-e-its-dev8021x-sw1"
        User-Name = "0017f231b481"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        NAS-Port = 2
        NAS-Port-Type = Ethernet
        NAS-Port-Id = "2"
        Called-Station-Id = "00-14-38-fb-94-3e"
        Calling-Station-Id = "00-17-f2-31-b4-81"
        Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
        CHAP-Password = 0x46c5390071718fec73572bd6a9bf101e8c

Though some do send a concatination of the shared secret of the ap with 

the mac address.

If you want to validate the chap password (if included),

DEFAULT CHAP-Password =* ANY, Cleartext-Password := "%{User-Name}"

then list the CHAP module under the users file, in the authorise section.

CHAP will then set the Auth-Type to CHAP

CHAP will then validate the CHAP-Password in Authenticate and send an 

access accept.

It adds absolutely no extra security validating the CHAP-Password, but 

it does follow the normal flow of a request through FreeRadius.

I tried:

<MAC-ADDR> "shared secret" as more or less a panic try but of course  

it didnt work. If anyone could just give me an example or hint where   

to find some nice info about it would make me happy.

Thx

p

- 

List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900