EAP-TLS and MAC Authentication

Alan DeKok aland at deployingradius.com
Sun May 16 11:00:58 CEST 2010


John McDonnell wrote:
> I don't know if you have any experience with the 1100 series access points 
> from Cisco, but they have a setting called EAP and MAC authentication. I'm 
> not sure how it is implemented, but I would imagine I should just set it 
> to do EAP and have FR itself do the MAC check as part of the 
> authorization?

  Yes.  Having AP's implement policies is a recipe for disaster.

> We're not really tracking MACs per se right now, we only require the MAC 
> to be a valid MAC. We don't check for duplicates. Combined with using WEP, 
> it currently makes for a very unsecure network, hence why I want to switch 
> to using certificates. I've learned a lot about how RADIUS, and FR in 
> particular, works in the past year, but I still have a lot to learn. I 
> understand a new book on FR has been in the works, which would be a great 
> help I'm sure. In the meantime, I try to keep track of the users list and 
> do some reading (a lot of it outdated) on the web.

  I'm trying to find time to finish the book.  :(

> I suppose doing the MAC authentication wouldn't really add much overhead 
> at all if done by the FR server itself and not separate calls from the AP, 
> so I will look into how to do this. Any pointers or hints would greatly be 
> appreciated.

  raddb/modules/mac*

  They're not examples for RADIUS, but the principles should be the same.

  Alan DeKok.



More information about the Freeradius-Users mailing list