<p dir="ltr">Thanks. I figured that would be the answer. I will come up with a solution based on your recommendations.</p>
<div class="gmail_quote">On Oct 16, 2013 4:51 PM, "Alan DeKok" <<a href="mailto:aland@deployingradius.com">aland@deployingradius.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Matthew Ceroni wrote:<br>
> Our company was recently bought out and we routinely have employees of<br>
> the parent company come to our office and they need to use the<br>
> wireless network (eventually wired as well). The integration of our<br>
> domains is a few months out still. So the problem I have is that since<br>
> 802.1x is tied into Windows user credentials they are not able to<br>
> authenticate as their users are not in our AD domain.<br>
<br>
Why not proxy those requests to he parent RADIUS server? Or do they<br>
even have a parent RADIUS server... ?<br>
<br>
> Therefore I wanted to authenticate them via their MAC address. So I<br>
> read up on authenticating with MACS and setup my default vhost as<br>
> follows:<br>
><br>
> authorized_macs<br>
> if (ok) {<br>
> # if MAC is known ACCEPT<br>
> update control {<br>
> Auth-Type := Accept<br>
> }<br>
<br>
That won't really work. The entire point of EAP is to have a secure<br>
authentication method. You can't bypass it.<br>
<br>
> This appears to work, sort of. In that it returns an Access-Accept if<br>
> the MAC is known. However, and there is where my knowledge is lacking,<br>
> I don't think it is then agreeing on an encryption key.<br>
<br>
Exactly. It's *impossible* to bypass the encryption key step. EAP is<br>
designed to make it impossible.<br>
<br>
> Missing the MS-MPPE parameters, which after googling I believe have to<br>
> do with the authentication key used for encryption.<br>
<br>
Yes. And you can't just generate it. You MUST do the complete EAP<br>
exchange.<br>
<br>
Your best bet is to proxy those requests to the parent RADIUS server.<br>
Or, set up a separate guest SSID, and do MAC authentication on it.<br>
<br>
Alan DeKok.<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div>