EAP-TLS and MAC Authentication

John McDonnell mcdonnjd at pcam.org
Sun May 16 10:03:27 CEST 2010


> -----Original Message-----
> John McDonnell wrote:
> > I'm not doing any dynamic VLAN assignments over the wireless so I
> really don't see any need for MAC authentication and just see it as
> unneeded overhead. Is there any reason why I'm wrong with this
> assumption?
>
>   It never hurts.  You can do *both* EAP && MAC auth at the same
> time.

I don't know if you have any experience with the 1100 series access points 
from Cisco, but they have a setting called EAP and MAC authentication. I'm 
not sure how it is implemented, but I would imagine I should just set it 
to do EAP and have FR itself do the MAC check as part of the 
authorization?

> It stops people who share their passwords.  If you do login
> tracking, you can see if two MACs have logged in at the same time,
> too.

This was why I was originally going to enable both EAP and MAC but then 
wondered if it would just be overhead since I plan on going the 
certificate route. Right now, the only laptops we want to allow on the 
wireless network are the ones that we received from the Classrooms for the 
Future (CFF) grant. This summer I will be touching each of these computers 
(I'll be imaging all of the student laptops and updating the teacher ones 
individually) and will install the certificates during the procedure.

>   This stops a large percentage of bad behavior.
>
>   If you're *not* tracking MACs right now, you have no idea who's
> on your network.
>
>   Alan DeKok.

We're not really tracking MACs per se right now, we only require the MAC 
to be a valid MAC. We don't check for duplicates. Combined with using WEP, 
it currently makes for a very unsecure network, hence why I want to switch 
to using certificates. I've learned a lot about how RADIUS, and FR in 
particular, works in the past year, but I still have a lot to learn. I 
understand a new book on FR has been in the works, which would be a great 
help I'm sure. In the meantime, I try to keep track of the users list and 
do some reading (a lot of it outdated) on the web.

The goal of my updates to the wireless network over the summer is to make 
the network more secure without our users actually having to do anything 
different. Whether that's installing certificates or using PEAP with the 
username/password saved on the laptop, we don't currently want to make 
things more difficult for the teachers/students. Hopefully one of the 
updates my boss will be doing over the summer will be to get LDAP working 
properly at which point switching to TTLS or PEAP will become much more 
attractive than they currently are.

I suppose doing the MAC authentication wouldn't really add much overhead 
at all if done by the FR server itself and not separate calls from the AP, 
so I will look into how to do this. Any pointers or hints would greatly be 
appreciated.

-- 
John McDonnell
Penn Cambria School District
mcdonnjd at pcam.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4102 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100516/3504cc07/attachment.bin>


More information about the Freeradius-Users mailing list