MAC authentication Auth Key Mgmt

Matthew Ceroni matthewceroni at gmail.com
Thu Oct 17 01:30:08 CEST 2013


Hi:

I have deployed a Wireless network that authenticates with WPA2 with
802.1x key mgmt. Radius is configured to validate users against Active
Directory.

Our company was recently bought out and we routinely have employees of
the parent company come to our office and they need to use the
wireless network (eventually wired as well). The integration of our
domains is a few months out still. So the problem I have is that since
802.1x is tied into Windows user credentials they are not able to
authenticate as their users are not in our AD domain.

Therefore I wanted to authenticate them via their MAC address. So I
read up on authenticating with MACS and setup my default vhost as
follows:

        authorized_macs
        if (ok) {
                # if MAC is known ACCEPT
                update control {
                        Auth-Type := Accept
                }
        }
        else {
                eap {
                        ok = return
                }

                update reply {
                        Tunnel-Type:1 := 13
                        Tunnel-Medium-Type:1 := 6
                }

                if (Ldap-Group == "netCoreClass-IT") {
                        update reply {
                                Tunnel-Private-Group-Id:1 := 102
                        }
                }

So authenticate if the MAC is known, else go through the normal
authentication process of validating their AD credentials.

This appears to work, sort of. In that it returns an Access-Accept if
the MAC is known. However, and there is where my knowledge is lacking,
I don't think it is then agreeing on an encryption key. When
validating with credentials (and running radius in debug mode) there
are many more Access Challenge and Response packets. Which I am
assuming are message to generate and agree on the management key. When
validation occurs just on the MAC address I don't see all those extra
messages and the device never fully authenticates on the WIFI.

The Access-Accept response when using credentials is:

Sending Access-Accept of id 134 to 192.168.102.7 port 32769
        Tunnel-Type:1 = VLAN
        Tunnel-Medium-Type:1 = IEEE-802
        Tunnel-Private-Group-Id:1 = "102"
        User-Name = "mceroni"
        MS-MPPE-Recv-Key =
0x6118d49fe07452919f832d8cb45c721f39e693cdb05270d48c1d74c8d67e975e
        MS-MPPE-Send-Key =
0xcc7af786ff05d3d840ffc5752e46ea33ab3c933ab50b300a6e4f37aa47fc4293
        EAP-Message = 0x030c0004
        Message-Authenticator = 0x00000000000000000000000000000000

Whereas with MAC it is:

Sending Access-Accept of id 135 to 192.168.102.7 port 32769
        Reply-Message = "Testing Device MAC Address e8-99-c4-7c-16-b9"
        Tunnel-Type:1 := VLAN
        Tunnel-Medium-Type:1 := IEEE-802
        Tunnel-Private-Group-Id:1 := "102"

Missing the MS-MPPE parameters, which after googling I believe have to
do with the authentication key used for encryption.

Thanks in advance


More information about the Freeradius-Users mailing list