You are correct about being able to sneeze and break into the network. But luckily all machines with that prefix will be placed into a Ethernet Only VLAN. The Devices with that prefix belong to a Ethernet based phone system (www.3com.com/nbx) so anyone who breaks into that vlan will only be able to see the broadcast Ethernet packets the phones are sending out occasionally. As a extra layer of security the phone system itself will only communicate with phones that have already been configured in its internal mac table list. Thanks for the help Jason -----Original Message----- From: freeradius-users-bounces+jmont=preferredtechnology.com@lists.freeradius. org [mailto:freeradius-users-bounces+jmont=preferredtechnology.com@lists.fre eradius.org] On Behalf Of Dennis Skinner Sent: Wednesday, May 10, 2006 3:54 PM To: FreeRadius users mailing list Subject: Re: Wildcards in Username and Passwd Jason Montgomery wrote:
Hello I have a customer who would like to have 100% MAC address lock down on their network. To do that we are able to have the Ethernet Switches Send the Device MAC address as the Username and password to the Radius Server. The question I have is on the radius server is it possible to set a wildcard so that any device showing "00-E0-BB" as the MAC Address prefix will automatically be accepted then I can throw the usual variables back at the port. If this is possible then I can avoid having to enter 300 Devices into the Radius table.
This may give you some ideas: http://wiki.freeradius.org/index.php/Adding%2C_Removing%2C_Modifying_Att ributes_for_further_processing But, I should warn you, that anyone wanting to break into your customers' network can sneeze and have a machine fake a MAC address. Hell, some Cisco equipment even have a builtin command to do it (handy for replacing/upgrading routers without messing up local ARP tables). Hopefully there is some other form of authentication. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html