-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anders Holm wrote:
I'm slightly curoous here. What happens when Script Kiddie then spoofs an appropriate MAC address? You have other mitigating measures in place?
There's nothing you can do, but then Mac-Based authentication should only ever be used to gain access to sensitive networks, that's why you have 802.1X authentication. The ideal situation is to have a NAS that supports both on it's wired ports, with a catch at the bottom. So in order of authorisational priority 1. 802.1X 2. Mac-Authentication/ Web-Auth 3. Unauthorised/ port closed So initially the device starts in the unauthorised state, if Mac-Based auth succeeds the port will change to reflect the PVID or any other parameters given in the Mac-Based/Web-Auth access accept, if not then the client remains in the unauthorised state. If at any point the client completes 802.1X authentication then the port will change to reflect the parameters given in the 802.1X Access-Accept, and any other sessions will be closed. If the client receives an EAPOL-Logoff, then the client returns to the unauthorised state, and the switch will start Mac-Based authentication again. In all cases the client physically disconnecting from the switch returns the port to the unauthorised/closed state. At least that's how it works in theory, there's no standard defining the interactions, it's very much dependent on the switch vendor. HP ProCurve switches as of 2600 series implement the behaviour described above. I believe Cisco do too, though Ciscos is more broken... Regards, Arran
Sent from my iPhone
On 22 Oct 2008, at 12:12, Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk> wrote:
Hi,
The scheme used almost universally for Mac-Based authentication is User-Name == Calling-Station-ID, unfortunately the format of the two mac addresses often differ.
Here are the examples from our configuration to perform mac-based authorisation. --- authorize {
# Rewrite called station id attributes into a standard format. if("%{Calling-Station-Id}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request { Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}" } }
if("%{User-Name}" =~ /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
update request { User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}" } }
if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){ update control { Autz-Type = 'mac-based' } }
# Authorisation based on mac address Autz-Type mac-based { # This is where you do your authorisation checks update control { Auth-Type := 'Accept' } }
}
---
No you don't need passwords, you force the server to send an Access-Accept or Access-Reject packet based on your authorisation policies for certain Mac-Addresses.
Thanks, Arran
- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkj/UB4ACgkQcaklux5oVKIYLwCfV8VSEIW1OxjD6bLM/BJUBxxG 0l4AoI5MPjdsQjL++RRk0UqKtdbm50No =ATo4 -----END PGP SIGNATURE-----