A consultant in a session speak about 'MAC address authentication', using Unifi APs/management software, and describing it a '2FA'. If i understood well, enabling a specific options: https://help.ui.com/hc/en-us/articles/115004589707-RADIUS-Based-MAC-Authenti... i can connect suppicant to the network (via WPA2/3-Personal, so a shared secret) and then do a second-step authorization using radius, but where account are in the form 'AABBCCDDEEFF' (uppercase MAC address) and password is identical to the user. This seems '0,5FA': 0,5 for a shared passwod, 0 for account where password is identical to username. But effectivaly i found in google some setups like that, that really i don't understand. Someone have some clue? This seems to me real 2FA... https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy Thanks. -- Vendere no, non passa tra i miei rischi, non comprate i miei dischi e sputatemi addosso. (F. Guccini)
MAC address auth is not 2FA because it's not an extra factor. It's more like a second password that can easily be read, sniffed of captured. It doesn't really add any security as MAC spoofing is as old as ethernet. But if you want to do it because someone demands it, read this: https://wiki.freeradius.org/guide/mac-auth Op zo 24 dec. 2023 18:10 schreef Marco Gaiarin <gaio@lilliput.linux.it>:
A consultant in a session speak about 'MAC address authentication', using Unifi APs/management software, and describing it a '2FA'.
If i understood well, enabling a specific options:
https://help.ui.com/hc/en-us/articles/115004589707-RADIUS-Based-MAC-Authenti...
i can connect suppicant to the network (via WPA2/3-Personal, so a shared secret) and then do a second-step authorization using radius, but where account are in the form 'AABBCCDDEEFF' (uppercase MAC address) and password is identical to the user.
This seems '0,5FA': 0,5 for a shared passwod, 0 for account where password is identical to username.
But effectivaly i found in google some setups like that, that really i don't understand. Someone have some clue?
This seems to me real 2FA...
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
Thanks.
-- Vendere no, non passa tra i miei rischi, non comprate i miei dischi e sputatemi addosso. (F. Guccini)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usually, 2FA means 1) sth you know 2) sth you have. So, in theory, you 1) know the shared secret and you 2) "have" the MAC address. However I think this combination is stretching the definition a bit, as it's not really you, but the device having that last factor. Also, the first factor is not unique. The proposed way does not authenticate the user connecting to the network at all. Also, WPA Personal has nothing to do with 802.1x which is about EAP, i.e. the "Enterprise" way. Don't be fooled by "802.1x in MAC mode". On December 24, 2023 5:29:20 PM GMT+01:00, Marco Gaiarin <gaio@lilliput.linux.it> wrote:
A consultant in a session speak about 'MAC address authentication', using Unifi APs/management software, and describing it a '2FA'.
If i understood well, enabling a specific options:
https://help.ui.com/hc/en-us/articles/115004589707-RADIUS-Based-MAC-Authenti...
i can connect suppicant to the network (via WPA2/3-Personal, so a shared secret) and then do a second-step authorization using radius, but where account are in the form 'AABBCCDDEEFF' (uppercase MAC address) and password is identical to the user.
This seems '0,5FA': 0,5 for a shared passwod, 0 for account where password is identical to username.
But effectivaly i found in google some setups like that, that really i don't understand. Someone have some clue?
This seems to me real 2FA...
https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
Thanks.
-- Vendere no, non passa tra i miei rischi, non comprate i miei dischi e sputatemi addosso. (F. Guccini)
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Marco Gaiarin -
marki -
Mathias Maes