EAP used for plain MAC authentication?
Nick Lowe
nick.lowe at gmail.com
Mon Jan 5 14:23:12 CET 2015
On Mon, Jan 5, 2015 at 1:16 PM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 05/01/15 12:24, Nick Lowe wrote:
>
>> Do these switches or APs not use a Service-Type of Call-Check when
>> performing MAC auth then? I would be barking at the vendor if that was
>> missing.
>>
>
> No, they do not.
>
> As for barking at the vendor, in my experience you might as well bark at
> the moon for all the good it will do. I've wasted enough time with vendors
> over the last 15 years - they speak money only, I've never once succeeded
> in getting them to correct a design mis-step on technical grounds.
>
I pointed out to Aerohive that they were missing the Service-Type AVP on
all but 802.1X authentication. It got fixed in a subsequent software
release.
>
>
>> While using an EAP type is rather pointless for MAC address
>> authentication, there isn't an intrinsic problem doing so. I don't think
>> it's idiotic.
>>
>
> It's been a while since I looked, but doesn't it incur another round-trip?
Yes, you're right, but I think it's subjective if that pushes it in to
idiotic territory - I normally reserve that classification for more serious
things.
I don't think that will tangibly negatively affect many environments.
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150105/da6f0f7d/attachment.html>
More information about the Freeradius-Users
mailing list