FreeRADIUS Authentication/Authorization

Luiz Fernando Mizael Meier lfmmeier at gmail.com
Wed Nov 9 14:57:40 CET 2016


Matthew,

Thanks for you answer. We're been thinking and we'll problably go to sql.
Today we already validate via sql the mac addresses (in authorization
step). I was thinking in some way to ignore the username/password(in
authentication step) if it is one of these special machines, once there is
no way to not prompt them to.

Thanks in advance.

Luiz

2016-11-09 11:24 GMT-02:00 Matthew Newton <mcn4 at leicester.ac.uk>:

> On Wed, Nov 09, 2016 at 10:45:49AM -0200, Luiz Fernando Mizael Meier wrote:
> > Today we have an PSK SSID and it is a mess. We change the password and
> > after a week the whole world already know the password again.
>
> Which is the problem with shared secrets.
>
> > Now we have some computers to run specific softwares. This machines
> aren't
> > joined our domain and we don't want them to. They are just a terminal for
> > specific use only. The problem with the PSK is the security.
>
> Sounds like the ideal situation for EAP-TLS and certificates.
>
> > If we could validate this machines via mac and not asking for
> > username/password would be the perfect scenario. I though I could do this
> > authorization based in the link below, but I think I am misunderstanding
> > something.
>
> The options are:
>
>  - 802.1X (EAP) on its own
>  - 802.1X *and* MAC auth
>  - MAC auth
>
> As this is wireless, you're stuck with the 802.1X bit unless you
> do PSK. So you can either do it on its own, or in combination with
> MAC auth.
>
> Some wireless systems will let you do PSK with MAC auth against
> RADIUS IIRC.
>
> But MAC auth isn't really "auth", more like a filter with very
> large holes.
>
> So as I wrote before. You can't do 802.1X/EAP MAC-auth only.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list