Plain Mac-Auth - server accepts but client does not connect

Alan DeKok aland at deployingradius.com
Tue Jan 12 22:11:15 CET 2016


On Jan 12, 2016, at 3:55 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> I'm curious about your assertion.  I'm just starting to deploy FreeRADIUS in order to do mac auth
> for a wireless network (Aruba), and I've been following:
> 
> http://wiki.freeradius.org/guide/mac-auth#plain-mac-auth
> 
> which seems to contradict your claim.  I'm curious if I am misunderstanding something.

  Yes.

  EAP is *required* for wireless networks.

  Mac auth can *reject* on wireless networks.  It cannot cause the user to be authenticated on wireless networks.  This is because the session requires 802.1X session keys, which are derived from a *successful* EAP authentication.

  For wired networks without 802.1X, you can do Mac auth.

  For wired networks with 802.1X and *not* Macsec, you can force a user online with Mac auth, by faking the EAP success.

  For wired networks with 802.1X and Macsec, Mac auth can reject a user.   It cannot cause the user to be authenticated.  This is because the session requires Macsec session keys, which are derived from a *successful* EAP authentication.

  Alan DeKok.




More information about the Freeradius-Users mailing list