AW: AW: MAC authentification
Arran Cudbard-Bell
A.Cudbard-Bell at sussex.ac.uk
Wed Oct 22 18:09:02 CEST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Anders Holm wrote:
> I'm slightly curoous here. What happens when Script Kiddie then spoofs
> an appropriate MAC address? You have other mitigating measures in place?
There's nothing you can do, but then Mac-Based authentication should
only ever be used to gain access to sensitive networks, that's why you
have 802.1X authentication.
The ideal situation is to have a NAS that supports both on it's wired
ports, with a catch at the bottom.
So in order of authorisational priority
1. 802.1X
2. Mac-Authentication/ Web-Auth
3. Unauthorised/ port closed
So initially the device starts in the unauthorised state, if Mac-Based
auth succeeds the port will change to reflect the PVID or any other
parameters given in the Mac-Based/Web-Auth access accept, if not then
the client remains in the unauthorised state. If at any point the client
completes 802.1X authentication then the port will change to reflect the
parameters given in the 802.1X Access-Accept, and any other sessions
will be closed. If the client receives an EAPOL-Logoff, then the client
returns to the unauthorised state, and the switch will start Mac-Based
authentication again. In all cases the client physically disconnecting
from the switch returns the port to the unauthorised/closed state.
At least that's how it works in theory, there's no standard defining the
interactions, it's very much dependent on the switch vendor.
HP ProCurve switches as of 2600 series implement the behaviour described
above. I believe Cisco do too, though Ciscos is more broken...
Regards,
Arran
> Sent from my iPhone
>
> On 22 Oct 2008, at 12:12, Arran Cudbard-Bell
> <A.Cudbard-Bell at sussex.ac.uk> wrote:
>
> Hi,
>
> The scheme used almost universally for Mac-Based authentication is
> User-Name == Calling-Station-ID, unfortunately the format of the two mac
> addresses often differ.
>
> Here are the examples from our configuration to perform mac-based
> authorisation.
> ---
> authorize {
>
> # Rewrite called station id attributes into a standard format.
> if("%{Calling-Station-Id}" =~
> /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
>
> update request {
> Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
> }
> }
>
> if("%{User-Name}" =~
> /^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){
>
> update request {
> User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}"
> }
> }
>
>
> if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){
> update control {
> Autz-Type = 'mac-based'
> }
> }
>
>
> # Authorisation based on mac address
> Autz-Type mac-based {
> # This is where you do your authorisation checks
> update control {
> Auth-Type := 'Accept'
> }
> }
>
> }
>
> ---
>
> No you don't need passwords, you force the server to send an
> Access-Accept or Access-Reject packet based on your authorisation
> policies for certain Mac-Addresses.
>
>
> Thanks,
> Arran
>
>
- -
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
- --
Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj/UB4ACgkQcaklux5oVKIYLwCfV8VSEIW1OxjD6bLM/BJUBxxG
0l4AoI5MPjdsQjL++RRk0UqKtdbm50No
=ATo4
-----END PGP SIGNATURE-----
More information about the Freeradius-Users
mailing list