John McDonnell wrote:
I don't know if you have any experience with the 1100 series access points from Cisco, but they have a setting called EAP and MAC authentication. I'm not sure how it is implemented, but I would imagine I should just set it to do EAP and have FR itself do the MAC check as part of the authorization?
Yes. Having AP's implement policies is a recipe for disaster.
We're not really tracking MACs per se right now, we only require the MAC to be a valid MAC. We don't check for duplicates. Combined with using WEP, it currently makes for a very unsecure network, hence why I want to switch to using certificates. I've learned a lot about how RADIUS, and FR in particular, works in the past year, but I still have a lot to learn. I understand a new book on FR has been in the works, which would be a great help I'm sure. In the meantime, I try to keep track of the users list and do some reading (a lot of it outdated) on the web.
I'm trying to find time to finish the book. :(
I suppose doing the MAC authentication wouldn't really add much overhead at all if done by the FR server itself and not separate calls from the AP, so I will look into how to do this. Any pointers or hints would greatly be appreciated.
raddb/modules/mac* They're not examples for RADIUS, but the principles should be the same. Alan DeKok.