MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??

Sat Dec 19 20:57:51 CET 2009

Hi Alan,

Thank you very much for quick response!

Actually you are right. The password is in MD5 hash, not in clear text!

I may not be able to use the guest VLAN (the vlan the device will be put in after failed or timeout 802.1x request) because I need to use this vlan for some other devices!

For these 00a008 device, my real purpose actually is NOT to "Authenticate" them but rather assign them to a specific VLAN by using dynamic vlan assignment feature of the switch. I have figured it out and tested it. I just have to put in special attributes under each user (in this case the MAC of the device) in the users file.

If I use AD or SQL, can I write a script to accomplish the logic I need so I don't have to type in each individual MAC as UN/PW in the database? It still sounds like I need to (for example in AD) manully input each of them in the database. Can you please give me details about how to implement it in this case?

BTW I'd rather not to use the SQL because I know pretty much nothing about it lol

I appreciate your advice! Thank you!

Difan

________________________________

From: freeradius-users-bounces+difan.zhao=guest-tek.com at lists.freeradius.org on behalf of Alan Buxey
Sent: Sat 12/19/2009 2:34 AM
To: FreeRadius users mailing list
Subject: Re: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??

Hi,

> The way how it works is that (I figured it out by running debug on the switch and by using wireshark), if the supplicant device doesn't support 802.1x, the switch (172.17.254.100) sends a access request to the freeradius server (172.17.1.1) with username and password both are the MAC address of the device!

correct - with the MAC in very plain format... ie all symbols stripped so its just, as you wrote
"00a0080806bd"  (rather than eg 00a0.0808.06bd or 00:a0:08:08:06:bd or 00-a0-08-08-06-bd)

by the way, depending on what IOS you've got, this will change - the new IOS
and this can be configured too on some previous versions - will send the
password int he form of the MD5 of the MAC address!

> That brings my dilemma! I have like 200 devices like this. I don't want to edit my users file with each of the MAC address as the UN/PW. Is there an easy way to write a script like thing to include all of them? The mac addresses are all start with "00:a0:08". I want a logic like:

many ways to do this - you certainly dont need to play with the users file - you
might want to eg, put them into AD/LDAP or put them into SQL.  in SQL you can set

User-Name       Attribute               Op      Value
00a0080806bd    Cleartext-Password      :=      00a0080806bd

if you KNOW that the addresses are valid, then you could scrape them...alternatively,
set the fail/quest VLAN to be behind a captive portal box and then the users get to
see a 'login page' and when they click login, you can grab their IP address and therefore
their MAC address and then insert that into SQL.  just a quick idea...monday morning project.

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 7046 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091219/c99c9eac/attachment.bin>