EAP-TLS and MAC Authentication

John McDonnell mcdonnjd at pcam.org
Mon May 17 19:23:49 CEST 2010


> > how would that have worked anyway - you need the key exchange and
> > the right type of EAP for WPA and wireless
> >
> > alan
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> 
> The only way I can think of it working was if using Cisco's local MAC
> list on the AP itself. I tried testing briefly with EAP and MAC set
> FR only. In about a minute or so, I received about 2K EAP requests
> all returning Access-Reject. If I get a few spare moments to test,
> I'll try adding my MAC to the local list and tell the AP to use the
> local list for MAC and FR for EAP. I have a feeling this might work,
> but I am certainly not going back to maintaining MAC lists on all of
> our APs (both because I'd have to modify the APs again to have enough
> storage space to hold the MAC list and because it's a pain to keep
> that many lists in sync) and I think using a check in FR is a much
> cleaner solution in many ways.
> 
> --
> John McDonnell
> Penn Cambria School District
> mcdonnjd at pcam.org
> O< ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org

Yes, when checking the MAC against the local list, it works. It checks the
MAC against the local list before attempting to forward any packets to FR
for EAP. When using a lightweight AP instead of an autonomous AP, I
suppose this list is kept on the controller and distributed to the APs.
This is the only way that seems like it would be of any use.

-- 
John McDonnell
Penn Cambria School District
mcdonnjd at pcam.org
O< ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4102 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100517/87b7955d/attachment.bin>


More information about the Freeradius-Users mailing list