Matthew Ceroni wrote:
Our company was recently bought out and we routinely have employees of the parent company come to our office and they need to use the wireless network (eventually wired as well). The integration of our domains is a few months out still. So the problem I have is that since 802.1x is tied into Windows user credentials they are not able to authenticate as their users are not in our AD domain.
Why not proxy those requests to he parent RADIUS server? Or do they even have a parent RADIUS server... ?
Therefore I wanted to authenticate them via their MAC address. So I read up on authenticating with MACS and setup my default vhost as follows:
authorized_macs if (ok) { # if MAC is known ACCEPT update control { Auth-Type := Accept }
That won't really work. The entire point of EAP is to have a secure authentication method. You can't bypass it.
This appears to work, sort of. In that it returns an Access-Accept if the MAC is known. However, and there is where my knowledge is lacking, I don't think it is then agreeing on an encryption key.
Exactly. It's *impossible* to bypass the encryption key step. EAP is designed to make it impossible.
Missing the MS-MPPE parameters, which after googling I believe have to do with the authentication key used for encryption.
Yes. And you can't just generate it. You MUST do the complete EAP exchange. Your best bet is to proxy those requests to the parent RADIUS server. Or, set up a separate guest SSID, and do MAC authentication on it. Alan DeKok.