MAC authentication Auth Key Mgmt

Matthew Ceroni matthewceroni at gmail.com
Thu Oct 17 02:36:14 CEST 2013


Thanks. I figured that would be the answer. I will come up with a solution
based on your recommendations.
On Oct 16, 2013 4:51 PM, "Alan DeKok" <aland at deployingradius.com> wrote:

> Matthew Ceroni wrote:
> > Our company was recently bought out and we routinely have employees of
> > the parent company come to our office and they need to use the
> > wireless network (eventually wired as well). The integration of our
> > domains is a few months out still. So the problem I have is that since
> > 802.1x is tied into Windows user credentials they are not able to
> > authenticate as their users are not in our AD domain.
>
>   Why not proxy those requests to he parent RADIUS server?  Or do they
> even have a parent RADIUS server... ?
>
> > Therefore I wanted to authenticate them via their MAC address. So I
> > read up on authenticating with MACS and setup my default vhost as
> > follows:
> >
> >         authorized_macs
> >         if (ok) {
> >                 # if MAC is known ACCEPT
> >                 update control {
> >                         Auth-Type := Accept
> >                 }
>
>   That won't really work.  The entire point of EAP is to have a secure
> authentication method.  You can't bypass it.
>
> > This appears to work, sort of. In that it returns an Access-Accept if
> > the MAC is known. However, and there is where my knowledge is lacking,
> > I don't think it is then agreeing on an encryption key.
>
>   Exactly.  It's *impossible* to bypass the encryption key step.  EAP is
> designed to make it impossible.
>
> > Missing the MS-MPPE parameters, which after googling I believe have to
> > do with the authentication key used for encryption.
>
>   Yes.  And you can't just generate it.  You MUST do the complete EAP
> exchange.
>
>   Your best bet is to proxy those requests to the parent RADIUS server.
>  Or, set up a separate guest SSID, and do MAC authentication on it.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131016/3206e314/attachment.html>


More information about the Freeradius-Users mailing list