MAC Authentication - Bad Idea?

Alan DeKok aland at deployingradius.com
Wed Feb 2 19:54:21 CET 2011


Jim Rice wrote:
> Still a newbie, but getting there...  (Alan, do you ever sleep?)

  In a word: no.

> I have been asked to implement MAC authentication for a local service provider with a Canopy radio network and MikroTik routers.  No, really.
> 
> I was able to test this and received Accept-Accept after placing the MAC address in the UserName (Password is ""), but had to set Auth-Type := Accept.

  Hmm... that's probably not the best way to do it, but if it works...

  I'd like to write a "MAC auth howto" guide for NAS implementors.  It
will mostly say "you're doing it wrong".  Which isn't much of surprise,
I guess.

> I haven't found much in the way of documentation regarding MAC authentication in some of the "dated" books I have on Radius and 802.1x, nor in the FreeRadius docs.

  It all depends on what the NAS sends, unfortunately.  And every NAS
sends something different.

> The goal is to provide for different classes of service, bandwidth management, accounting, etc.  I imagine some of this can be done through vendor specific attributes to dynamically configure the routers (VLANs, data rates, priority queues and such), based on which group a user belongs.
> 
> Dumb question #1:  Just because you can do a thing, it doesn't mean you should.  Can someone give me the "you idiot" speech and talk me out of this?

  Do MAC auth.  Really.  It's not hard, and it's useful.

  The main thing is to normalize the MACs from the NAS before you look
them up in the DB.  Again, every NAS sends something different.

> Deploying client certificates to every device in their network seems an administrative nightmare.  Using usernames/passwords doesn't make sense since most devices will always be connected.  In the days of dial-up, users understood having to "login" to connect.  Today, not so much.
> 
> So, are there better alternatives?  Or am I still just a clueless newbie?

  Do MAC auth.  Wait 2-3 years, upgrade to 802.1X everywhere.

  Alan DeKok.



More information about the Freeradius-Users mailing list