MAC authentication bypass --- How am I supposed to?edit?theusers file to include multiple MAC addresses??

Arran Cudbard-Bell a.cudbard-bell at sussex.ac.uk
Mon Dec 21 20:52:57 CET 2009


On 21/12/2009 09:15, Alan Buxey wrote:
> Hi,
>
>   
>>> yep - but a user could just as easily log in with the user-name of
>>> 00:11:22:33:44:55 ;-) 
>>>
>>>       
>> Not when you say !EAP-Message too :)
>>     
> ...and how does that stop, lets just say for example, some user coming
> along with 802.1X configured on their wired interface and logging it
> with 00:11:22:33:44:55 as their user-name with EAP-MD5 ?  ;-)
>   
Last time I checked EAP-MD5-Response was still carried in the
EAP-Message attribute,
and the documentation in the wiki suggests that the username and
Calling-Station-ID
are canonicalized and compared before attempting Mac-Auth, so you need
to fake
the mac-address in your EAPOL frames too.
>> Although it does nothing about the legacy guff, it stops new guff 
>> connecting.
>>     
> thats true in so much that it controls those things...but lets more evil
> people on due to it being a nice new hole.  oh well.
>
>   
Well no. You need to know the Mac-Address of a target machine before you
can connect to the network/VLAN.
In order to find out the Mac-Address you need to physically locate
yourself at a terminal, if you can
physically locate yourself at a terminal, you generally have access to
the network connection of the
terminal anyway.

The only thing it lets you do which you could do before, is to do your
cracking in a cafe instead
of in a cluster room :).

The real danger is someone gaining access to the uplink from one your
switches...
which is why 802.1X-REV/Mac-Sec is so frickin awesome!

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091221/be27c42f/attachment.pgp>


More information about the Freeradius-Users mailing list