MAC-auth only to AP needs a little guidance.

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Fri Jun 8 13:38:45 CEST 2007 

Giobbi Piero wrote:
> Hi all.
> 
> Im just got radius with user/password to work with my firewall and i  
> just love it! Now i would like to make it rock with our airport  
> basestations to. I only want MAC-authentication, isearched everywhere  
> but i cant find a single example for this , without EAP/TLS.
> 

Eww airports, you know they don't support accounting or dynamic vlan 
assignments.

Generally mac auth doesn't use EAP, but instead uses plain CHAP.

Though this really varies vendor to vendor.

Our HP switches send the mac address of the calling station as the 
username and then the mac address of the calling station again as the 
chap password.

         Framed-MTU = 1480
         NAS-IP-Address = 139.184.8.16
         NAS-Identifier = "hp-e-its-dev8021x-sw1"
         User-Name = "0017f231b481"
         Service-Type = Framed-User
         Framed-Protocol = PPP
         NAS-Port = 2
         NAS-Port-Type = Ethernet
         NAS-Port-Id = "2"
         Called-Station-Id = "00-14-38-fb-94-3e"
         Calling-Station-Id = "00-17-f2-31-b4-81"
         Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
         CHAP-Password = 0x46c5390071718fec73572bd6a9bf101e8c

Though some do send a concatination of the shared secret of the ap with 
the mac address.

If you want to validate the chap password (if included),

DEFAULT CHAP-Password =* ANY, Cleartext-Password := "%{User-Name}"

then list the CHAP module under the users file, in the authorise section.

CHAP will then set the Auth-Type to CHAP

CHAP will then validate the CHAP-Password in Authenticate and send an 
access accept.

It adds absolutely no extra security validating the CHAP-Password, but 
it does follow the normal flow of a request through FreeRadius.

> I tried:
> 
> <MAC-ADDR> "shared secret" as more or less a panic try but of course  
> it didnt work. If anyone could just give me an example or hint where   
> to find some nice info about it would make me happy.
> 
> Thx
> 
> p
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
Authentication, Authorisation and Accounting Officer
Infrastructure Services | ENG1 E1-1-08
University Of Sussex, Brighton
EXT:01273 873900 | INT: 3900

More information about the Freeradius-Users mailing list