AW: AW: MAC authentification

[Frederik.Niedernolte at Bertelsmann.de]

Isn't it possible without a password?
In the current situation I only add a MAC address to an access point and the client can connect to it.
Because of many access points this task should be done by the RADIUS-server for all access points.
So every access point should forward the authentification request from the client to the RADIUS-server.
This server should check if the clients MAC address is allowed and then send back the result to the access point.

F. Niedernolte


-----Ursprüngliche Nachricht-----
Von: freeradius-users-bounces+frederik.niedernolte=bertelsmann.de at lists.freeradius.org [mailto:freeradius-users-bounces+frederik.niedernolte=bertelsmann.de at lists.freeradius.org] Im Auftrag von Alan DeKok
Gesendet: Mittwoch, 22. Oktober 2008 10:56
An: FreeRadius users mailing list
Betreff: Re: AW: MAC authentification

Frederik.Niedernolte at Bertelsmann.de wrote:
> So a simple entry like
> 
> User42 MAC := "02:01:02:03:04:05"
> 
> in the users file would be enough!?

  No.  I mentioned the "User-Name" attribute, not the "MAC" attribute.

  Do you see the "MAC" attribute in the RADIUS packet?  Does reading the
"man" page for the "users" file lead you to believe that an entry like
above will do *anything*?

  What I said was this:  "MAC authentication" is nearly always just
normal username/password authentication.  If you can configure
username/password authentication, you can configure MAC authentication.
 Just give the "users" names that match the MAC addresses in the
Access-Request, and be sure that the "passwords" match the User-Password
field in the Access-Request.

  It would help to *look* at an Access-Request for MAC authentication,
and forget that it's something magic called "MAC authentication".
Instead, figure out how you would get this user authenticated in normal
user authentication.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html