5 Jan
2015
5 Jan
'15
7:03 a.m.
Hi,
Personally I think this is idiotic at best, and insecure at worst. In particular, if the requests don't contain an attribute to distinguish between EAP-based MAC-auth and real user-based EAP - and some vendors don't - a real user can just set their username and password to their MAC address and waltz right in.
tell me about it...we've got about 47 lines of unlang/script to stop that sort of thing :/ (we have a known set of switches/locations where MAB is in use) alan