On Jan 12, 2016, at 3:55 PM, Munroe Sollog <mus3@lehigh.edu> wrote:
I'm curious about your assertion. I'm just starting to deploy FreeRADIUS in order to do mac auth for a wireless network (Aruba), and I've been following:
http://wiki.freeradius.org/guide/mac-auth#plain-mac-auth
which seems to contradict your claim. I'm curious if I am misunderstanding something.
Yes. EAP is *required* for wireless networks. Mac auth can *reject* on wireless networks. It cannot cause the user to be authenticated on wireless networks. This is because the session requires 802.1X session keys, which are derived from a *successful* EAP authentication. For wired networks without 802.1X, you can do Mac auth. For wired networks with 802.1X and *not* Macsec, you can force a user online with Mac auth, by faking the EAP success. For wired networks with 802.1X and Macsec, Mac auth can reject a user. It cannot cause the user to be authenticated. This is because the session requires Macsec session keys, which are derived from a *successful* EAP authentication. Alan DeKok.