EAP & MAC Auth accepting only MAC address
Hi, I'm doing some testing for my FreeRADIUS installation in which I am performing MAC Auth which, provided the MAC is correct, then performs EAP-TTLS/PAP auth. This works fine from a Windows client because it forces you to enter a username and password. I was performing some testing using the radclient command and noticed that the unlang code that the MAC auth guide <https://wiki.freeradius.org/guide/mac-auth#mac-auth-and-802-1x> gives you allows authentication as long as the MAC address is correct even if there is no username or password so EAP isn't enforced which doesn't seem right to me. I've reduced the code down to this which I *think* would force EAP auth even if the MAC is correct: *#If cleaning up the Calling-Station-Id... rewrite_calling_station_id # always check against the authorized_macs file first authorized_macs if (!ok) { # Reject if the MAC address was not permitted. reject } else { eap { ok = return updated = return } }* I've then used radeapclient to test which seems ok but is there a better way of achieving this? The radeapclient command I used is: *"User-Name = ,EAP-Code = ,EAP-Id = ,EAP-Type-Identity = ,Message-Authenticator = ,Cleartext-Password = ,Calling-Station-ID= " | radeapclient auth * Thanks
On Oct 17, 2024, at 11:42 AM, FreeRAD <yetifreerad@gmail.com> wrote:
I'm doing some testing for my FreeRADIUS installation in which I am performing MAC Auth which, provided the MAC is correct, then performs EAP-TTLS/PAP auth. This works fine from a Windows client because it forces you to enter a username and password.
That's good.
I was performing some testing using the radclient command and noticed that the unlang code that the MAC auth guide <https://wiki.freeradius.org/guide/mac-auth#mac-auth-and-802-1x> gives you allows authentication as long as the MAC address is correct even if there is no username or password so EAP isn't enforced which doesn't seem right to me.
It's an example. You can still change ie.
I've reduced the code down to this which I *think* would force EAP auth even if the MAC is correct: ... *#If cleaning up the Calling-Station-Id... rewrite_calling_station_id # always check against the authorized_macs file first authorized_macs if (!ok) { # Reject if the MAC address was not permitted. reject } else { eap { ok = return updated = return } }*
That is almost unreadable. But yes, you can reject instead of accept if there's no EAP.
I've then used radeapclient to test which seems ok but is there a better way of achieving this?
It's fine. Alan DeKok.
participants (2)
-
Alan DeKok -
FreeRAD