MAC authentication bypass --- How am I supposed to edit the users file to include multiple MAC addresses??

Alan Buxey A.L.M.Buxey at lboro.ac.uk
Sat Dec 19 10:34:39 CET 2009


Hi,

> The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn’t support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device!

correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote
"00a0080806bd"  (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd)


by the way, depending on what IOS you've got, this will change - the new IOS
and this can be configured too on some previous versions - will send the
password int he form of the MD5 of the MAC address!

> That brings my dilemma! I have like 200 devices like this. I don’t want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with “00:a0:08”. I want a logic like:

many ways to do this - you certainly dont need to play with the users file - you
might want to eg, put them into AD/LDAP or put them into SQL.  in SQL you can set

User-Name	Attribute		Op	Value
00a0080806bd	Cleartext-Password	:=	00a0080806bd


if you KNOW that the addresses are valid, then you could scrape them...alternatively,
set the fail/quest VLAN to be behind a captive portal box and then the users get to
see a 'login page' and when they click login, you can grab their IP address and therefore
their MAC address and then insert that into SQL.  just a quick idea...monday morning project.

alan



More information about the Freeradius-Users mailing list