MAC Authentication - Bad Idea?

Alan DeKok aland at deployingradius.com
Thu Feb 3 09:53:53 CET 2011


Jim Rice wrote:
> The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX

  Which isn't the format recommended by the RFCs <sigh>.

> It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that.

  There isn't much benefit... but both are bad ideas.

>>> but had to set Auth-Type := Accept.
>>   Hmm... that's probably not the best way to do it,
>> but if it works...
> 
> Is there a best (or better) way?

  Not really, unfortunately.

> Do I need to be concerned with MAC spoofing?

  Of course.

  Alan DeKok.



More information about the Freeradius-Users mailing list