On Oct 20, 2018, at 8:38 AM, Hans-Christian Esperer <hc@hcesperer.org> wrote:
Well, we don't even know yet what the original poster's intention was.
That's where it's helpful to ask good questions. And give useful information, like "we're using WiFi with EAP".
Maybe it can be solved in a secure and a less secure way? Why point out the less secure way first?
Because of the vague nature of the question. The MAC approach is almost always available.
All I meant to do was point out that the mac approach has disadvantages to the original approach,
Which was what? The "original approach" didn't actually describe the authentication that was being used.
maybe that's something that wasn't taken into consideration by the original poster.
At this point, we're all just guessing.
On a personal sidenode, my original motivation to look into freeradius in the first place was precisely that I wanted to avoid them portals. =) Not only are they utterly insecure, they are also incredibly inconvenient if what you want is a stable and long lived wifi connection...
Hotspot 2.0 is supposed to solve a lot of these problems. My point is that it's not useful to complain about the insecurity of MAC addresses. Everyone knows, and has known for years. So comments like this: "I don't understand at all why MAC addresses are used everywhere in security relevant contexts" Just show a lack of understanding of *how* things work. Since solutions are driven by available information, the answer to "why" is simple: It's often the only choice. Alan DeKok.