MAC authentication Auth Key Mgmt

Alan DeKok aland at deployingradius.com
Thu Oct 17 01:45:34 CEST 2013


Matthew Ceroni wrote:
> Our company was recently bought out and we routinely have employees of
> the parent company come to our office and they need to use the
> wireless network (eventually wired as well). The integration of our
> domains is a few months out still. So the problem I have is that since
> 802.1x is tied into Windows user credentials they are not able to
> authenticate as their users are not in our AD domain.

  Why not proxy those requests to he parent RADIUS server?  Or do they
even have a parent RADIUS server... ?

> Therefore I wanted to authenticate them via their MAC address. So I
> read up on authenticating with MACS and setup my default vhost as
> follows:
> 
>         authorized_macs
>         if (ok) {
>                 # if MAC is known ACCEPT
>                 update control {
>                         Auth-Type := Accept
>                 }

  That won't really work.  The entire point of EAP is to have a secure
authentication method.  You can't bypass it.

> This appears to work, sort of. In that it returns an Access-Accept if
> the MAC is known. However, and there is where my knowledge is lacking,
> I don't think it is then agreeing on an encryption key. 

  Exactly.  It's *impossible* to bypass the encryption key step.  EAP is
designed to make it impossible.

> Missing the MS-MPPE parameters, which after googling I believe have to
> do with the authentication key used for encryption.

  Yes.  And you can't just generate it.  You MUST do the complete EAP
exchange.

  Your best bet is to proxy those requests to the parent RADIUS server.
 Or, set up a separate guest SSID, and do MAC authentication on it.

  Alan DeKok.


More information about the Freeradius-Users mailing list