On 21/12/2009 09:15, Alan Buxey wrote:
Hi,
yep - but a user could just as easily log in with the user-name of 00:11:22:33:44:55 ;-)
Not when you say !EAP-Message too :)
...and how does that stop, lets just say for example, some user coming along with 802.1X configured on their wired interface and logging it with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-)
Last time I checked EAP-MD5-Response was still carried in the EAP-Message attribute, and the documentation in the wiki suggests that the username and Calling-Station-ID are canonicalized and compared before attempting Mac-Auth, so you need to fake the mac-address in your EAPOL frames too.
Although it does nothing about the legacy guff, it stops new guff connecting.
thats true in so much that it controls those things...but lets more evil people on due to it being a nice new hole. oh well.
Well no. You need to know the Mac-Address of a target machine before you can connect to the network/VLAN. In order to find out the Mac-Address you need to physically locate yourself at a terminal, if you can physically locate yourself at a terminal, you generally have access to the network connection of the terminal anyway. The only thing it lets you do which you could do before, is to do your cracking in a cafe instead of in a cluster room :). The real danger is someone gaining access to the uplink from one your switches... which is why 802.1X-REV/Mac-Sec is so frickin awesome! -Arran