EAP-TLS and MAC Authentication
Alan DeKok
aland at deployingradius.com
Sun May 16 11:00:58 CEST 2010
John McDonnell wrote:
> I don't know if you have any experience with the 1100 series access points
> from Cisco, but they have a setting called EAP and MAC authentication. I'm
> not sure how it is implemented, but I would imagine I should just set it
> to do EAP and have FR itself do the MAC check as part of the
> authorization?
Yes. Having AP's implement policies is a recipe for disaster.
> We're not really tracking MACs per se right now, we only require the MAC
> to be a valid MAC. We don't check for duplicates. Combined with using WEP,
> it currently makes for a very unsecure network, hence why I want to switch
> to using certificates. I've learned a lot about how RADIUS, and FR in
> particular, works in the past year, but I still have a lot to learn. I
> understand a new book on FR has been in the works, which would be a great
> help I'm sure. In the meantime, I try to keep track of the users list and
> do some reading (a lot of it outdated) on the web.
I'm trying to find time to finish the book. :(
> I suppose doing the MAC authentication wouldn't really add much overhead
> at all if done by the FR server itself and not separate calls from the AP,
> so I will look into how to do this. Any pointers or hints would greatly be
> appreciated.
raddb/modules/mac*
They're not examples for RADIUS, but the principles should be the same.
Alan DeKok.
More information about the Freeradius-Users
mailing list