First a little information on our setup. When I first started working here, the wireless network had been in place for a year already and was rather small, only 3 access points and ~90 laptops. My boss set it up as static WEP (I don't know why WEP instead of WPA) and used the AP's (Cisco 1121 series) authorized MAC list to restrict access to our laptops. When I came on board, we just received about 250 new laptops from the grant and the AP's couldn't fit all of the MAC addresses in the space allocated in the flash as simulated NVRAM. For a quick fix, I changed how much NVRAM was simulated in order for the AP's to hold the info when rebooted. Of course, maintaining the MAC list on all of these AP's (we got an additional 8 or 9 AP's at that time) was a nightmare, plus the AP's seemed a bit sluggish with authenticating laptops. I convinced my boss to let me configure a FreeRADIUS server to do the authentication, removing all of the MAC addresses from the AP's and resetting the NVRAM to its default size. We now have about 15 AP's and ~400 laptops. Some AP's are overloaded while others have no load at all, though this has little to do with FR other than the fact the AP's lose packets to FR from time to time, through no fault of FR at all. This summer, due to budget cuts, we won't be getting in much new equipment which frees me up to do some long needed adjustments to the wireless network. I am going to be converting from WEP to WPA finally. I don't want to use WPA-PSK so I am looking at doing EAP-TLS. I have a test server up that I've gotten to work with EAP-TLS using the snake-oil certificates. On the AP's, there is the option of doing EAP and MAC authentication. This leads to my question. Does doing MAC authentication really accomplish anything when using EAP-TLS? The certificates can't be copied from the laptop they are installed onto as far as I know. They're running XP SP3 and when installing the certificates, the option to export them will not be checked. This should mean that if it has a valid certificate, it is one of our laptops and not someone who somehow stole a cert and installed it on their laptop. I'm not doing any dynamic VLAN assignments over the wireless so I really don't see any need for MAC authentication and just see it as unneeded overhead. Is there any reason why I'm wrong with this assumption? The only thing I can see enabling MAC authentication for is if we switch at some point to EAP-TTLS or EAP-PEAP to verify that the user is logging in with one of our laptops and not one they brought in from home/cell phone/etc. Or if I can convince my boss to authenticate all the wired connections so that no one brings in a laptop from home and plugs it into the network. (We've had at least some substitute teachers do this apparently, not sure if any full-time staff has done this.) While I might end up creating temporary users for when we have presenters and use EAP-[TTLS|PEAP] for them, I'd have to not do MAC authentication for them as finding out the MAC address in advance seems rather unlikely to happen. Sorry for being so long winded, but I wanted to make sure I got everything relevant about our setup and what I'm trying to do across. And as I finish my proof-reading, I realize that regardless of if I do MAC authentication or not, it seems rather pointless to enable the option on the AP as the MAC address would be sent regardless of if I set it or not. (Which really makes me wonder why they even included it, unless I'm misunderstanding something.) I think the proper solution would be to do a check in FR to ensure when the user requests access, that the requesting MAC is from one of our machines. Regardless, could someone let me know if there is any need to do MAC authentication when doing EAP-TLS? -- John McDonnell Penn Cambria School District mcdonnjd@pcam.org
John McDonnell wrote:
I'm not doing any dynamic VLAN assignments over the wireless so I really don't see any need for MAC authentication and just see it as unneeded overhead. Is there any reason why I'm wrong with this assumption?
It never hurts. You can do *both* EAP && MAC auth at the same time. It stops people who share their passwords. If you do login tracking, you can see if two MACs have logged in at the same time, too. This stops a large percentage of bad behavior. If you're *not* tracking MACs right now, you have no idea who's on your network. Alan DeKok.
-----Original Message----- John McDonnell wrote:
I'm not doing any dynamic VLAN assignments over the wireless so I really don't see any need for MAC authentication and just see it as unneeded overhead. Is there any reason why I'm wrong with this assumption?
It never hurts. You can do *both* EAP && MAC auth at the same time.
I don't know if you have any experience with the 1100 series access points from Cisco, but they have a setting called EAP and MAC authentication. I'm not sure how it is implemented, but I would imagine I should just set it to do EAP and have FR itself do the MAC check as part of the authorization?
It stops people who share their passwords. If you do login tracking, you can see if two MACs have logged in at the same time, too.
This was why I was originally going to enable both EAP and MAC but then wondered if it would just be overhead since I plan on going the certificate route. Right now, the only laptops we want to allow on the wireless network are the ones that we received from the Classrooms for the Future (CFF) grant. This summer I will be touching each of these computers (I'll be imaging all of the student laptops and updating the teacher ones individually) and will install the certificates during the procedure.
This stops a large percentage of bad behavior.
If you're *not* tracking MACs right now, you have no idea who's on your network.
Alan DeKok.
We're not really tracking MACs per se right now, we only require the MAC to be a valid MAC. We don't check for duplicates. Combined with using WEP, it currently makes for a very unsecure network, hence why I want to switch to using certificates. I've learned a lot about how RADIUS, and FR in particular, works in the past year, but I still have a lot to learn. I understand a new book on FR has been in the works, which would be a great help I'm sure. In the meantime, I try to keep track of the users list and do some reading (a lot of it outdated) on the web. The goal of my updates to the wireless network over the summer is to make the network more secure without our users actually having to do anything different. Whether that's installing certificates or using PEAP with the username/password saved on the laptop, we don't currently want to make things more difficult for the teachers/students. Hopefully one of the updates my boss will be doing over the summer will be to get LDAP working properly at which point switching to TTLS or PEAP will become much more attractive than they currently are. I suppose doing the MAC authentication wouldn't really add much overhead at all if done by the FR server itself and not separate calls from the AP, so I will look into how to do this. Any pointers or hints would greatly be appreciated. -- John McDonnell Penn Cambria School District mcdonnjd@pcam.org
John McDonnell wrote:
I don't know if you have any experience with the 1100 series access points from Cisco, but they have a setting called EAP and MAC authentication. I'm not sure how it is implemented, but I would imagine I should just set it to do EAP and have FR itself do the MAC check as part of the authorization?
Yes. Having AP's implement policies is a recipe for disaster.
We're not really tracking MACs per se right now, we only require the MAC to be a valid MAC. We don't check for duplicates. Combined with using WEP, it currently makes for a very unsecure network, hence why I want to switch to using certificates. I've learned a lot about how RADIUS, and FR in particular, works in the past year, but I still have a lot to learn. I understand a new book on FR has been in the works, which would be a great help I'm sure. In the meantime, I try to keep track of the users list and do some reading (a lot of it outdated) on the web.
I'm trying to find time to finish the book. :(
I suppose doing the MAC authentication wouldn't really add much overhead at all if done by the FR server itself and not separate calls from the AP, so I will look into how to do this. Any pointers or hints would greatly be appreciated.
raddb/modules/mac* They're not examples for RADIUS, but the principles should be the same. Alan DeKok.
participants (2)
-
Alan DeKok -
John McDonnell