5 Jan
2015
5 Jan
'15
6:38 a.m.
On 03/01/15 23:16, jm+freeradiususer@roth.lu wrote:
In this case, the switch supports EAP MD5 functionality with the username and password equal to the client MAC address --end quote--
It's mainly that last sentence that I'm wondering about.
Yeah, a couple of vendors do that (Juniper, for example). A "MAC auth" request is sent as an EAP-MD5 request with the username and password as the MAC address. Personally I think this is idiotic at best, and insecure at worst. In particular, if the requests don't contain an attribute to distinguish between EAP-based MAC-auth and real user-based EAP - and some vendors don't - a real user can just set their username and password to their MAC address and waltz right in.