EAP used for plain MAC authentication?
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jan 5 12:38:23 CET 2015
On 03/01/15 23:16, jm+freeradiususer at roth.lu wrote:
> In this case, the switch supports EAP MD5 functionality with the
> username and password equal to the client MAC address
> --end quote--
>
> It's mainly that last sentence that I'm wondering about.
Yeah, a couple of vendors do that (Juniper, for example). A "MAC auth"
request is sent as an EAP-MD5 request with the username and password as
the MAC address.
Personally I think this is idiotic at best, and insecure at worst. In
particular, if the requests don't contain an attribute to distinguish
between EAP-based MAC-auth and real user-based EAP - and some vendors
don't - a real user can just set their username and password to their
MAC address and waltz right in.
More information about the Freeradius-Users
mailing list