AW: AW: MAC authentification

Anders Holm anders.holm at sysadmin.ie
Wed Oct 22 16:43:56 CEST 2008 

I'm slightly curoous here. What happens when Script Kiddie then spoofs  
an appropriate MAC address? You have other mitigating measures in place?

Sent from my iPhone

On 22 Oct 2008, at 12:12, Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk 
 > wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> The scheme used almost universally for Mac-Based authentication is
> User-Name == Calling-Station-ID, unfortunately the format of the two  
> mac
> addresses often differ.
>
> Here are the examples from our configuration to perform mac-based
> authorisation.
> - ---
> authorize {
>
> # Rewrite called station id attributes into a standard format.
> if("%{Calling-Station-Id}" =~
> /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f] 
> {2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
>        update request {
>                Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
>        }
> }
>
> if("%{User-Name}" =~
> /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f] 
> {2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
>        update request {
>                User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}"
>        }
> }
>
>
> if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){
>    update control {
>        Autz-Type = 'mac-based'
>    }
> }
>
>
> # Authorisation based on mac address
> Autz-Type mac-based  {
>    # This is where you do your authorisation checks
>    update control {
>        Auth-Type := 'Accept'
>    }
> }
>
> }
>
> - ---
>
> No you don't need passwords, you force the server to send an
> Access-Accept or Access-Reject packet based on your authorisation
> policies for certain Mac-Addresses.
>
>
> Thanks,
> Arran
>
>
> - --
> Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
> Authentication, Authorisation and Accounting Officer,
> Infrastructure Services (IT Services),
> E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
> DDI+FAX: +44 1273 873900 | INT: 3900
> GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkj/Cq4ACgkQcaklux5oVKL03ACeNVBkJOkyrnhNtjD+W23Mp8YX
> 78cAnRgNFEfsewQgPl9WaAO3fQ9btzym
> =dPsK
> -----END PGP SIGNATURE-----
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list