-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 01/12/2016 04:11 PM, Alan DeKok wrote:
On Jan 12, 2016, at 3:55 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
I'm curious about your assertion. I'm just starting to deploy FreeRADIUS in order to do mac auth for a wireless network (Aruba), and I've been following:
http://wiki.freeradius.org/guide/mac-auth#plain-mac-auth
which seems to contradict your claim. I'm curious if I am misunderstanding something.
Yes.
EAP is *required* for wireless networks.
Mac auth can *reject* on wireless networks. It cannot cause the user to be authenticated on wireless networks. This is because the session requires 802.1X session keys, which are derived from a *successful* EAP authentication.
For wired networks without 802.1X, you can do Mac auth.
For wired networks with 802.1X and *not* Macsec, you can force a user online with Mac auth, by faking the EAP success.
For wired networks with 802.1X and Macsec, Mac auth can reject a user. It cannot cause the user to be authenticated. This is because the session requires Macsec session keys, which are derived from a *successful* EAP authentication.
Alan DeKok.
That means that FreeRadius can't be used at all to allow devices that don't support EAP (smart TVs, wireless sensors, etc) to join any SSID? Is the wiki wrong or am I missing the clarification in the documentation? - -- Munroe Sollog LTS - Network Analyst x85002 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWlXAeAAoJEPbbZiWCKDVCs9UH/2fKvL+YOYZYQThoGBgiOrA6 3kyBxijPIzhUAtmNJzhl9PwMdrOn8SJlooofbm1wrdHTO0vtNH4aLeJTrBmYizpT afSvX+eiRlZ7/pKEAyDV3Fxdax4bLhMQXQDNr+J7iI1pMlRaE5YzWJYs/dA1vM40 oHXkpk4R/yb3vtzLt6MAo6mY+vizxYa6tyUK+0p4h+vpKPehPxA+jTPYGmyenTFo n+f3I4iZIrCUmdaOFRLqWGqPf7srtFOV/LKiowNW796usTleiTfPkZBc5FkXmwMS m8Q4jF0b2QFAq+v6mRYWMyn2DPheXb6KptgQlkW302VbbP9Ai8v81XZXrIwwG2w= =ryyf -----END PGP SIGNATURE-----