MAC Authentication - Bad Idea?

schilling schilling2006 at gmail.com
Wed Feb 2 20:32:28 CET 2011


We implemented MAC authentication with netreg at
http://netreg.sourceforge.net. We used DHCP/DNS/HTTP piece from
netreg. It's essence is DHCP/DHS/HTTP on one server.
  Basically there will be a vlan we called sandbox with ip
helper-address pointing to sandbox.foo.edu.  The DHCP is configured to
have DNS pointing to sandbox.foo.edu too. bind is configured to
resolve everything to sandbox.foo.edu. HTTP is configured with dynamic
webpage as explained later on.

The logic is like the following
if (mac not in your database ) {
    send back a sandbox vlan
    #user open any webpage will get redirected to single server
}
else if (mac in your database) {
    if (user blocked ) {
        sendback sandbox VLAN
    }
    send back regular vlan name with additional attribute as you want
}

On the web server, if you are here, you are either unregistered or
registered but blocked. We have dynamic webpage to do the following
things
#mac not registered
#user webpage to get IP, then use IP to get MAC from DHCP lease file
if (MAC not in database ) {
    webportal of login with  (ldap, ssh, ftp) backend,
    mac address will be populated in the database.
}
#mac in database but blocked
else {
     display the mac is blocked and call helpdesk
}

We use this to gain a lot of knowledge/experience on dot1x, and are
now moving toward 802.1x.

Schilling




On Wed, Feb 2, 2011 at 2:15 PM, Jim Rice <jmrice6640 at yahoo.com> wrote:
> Thanks, Alan.
>
> The MikroTik routers can be configured to send a variety of MAC address formats, the default is XX:XX:XX:XX:XX:XX
>
> It can also be set to include the same MAC address in the Password field, instead of NULL, but I do not see any added benefit to that.
>
>>> but had to set Auth-Type := Accept.
>>
>>   Hmm... that's probably not the best way to do it,
>> but if it works...
>
> Is there a best (or better) way?
>
> Do I need to be concerned with MAC spoofing?
>
> Thanks again,
>
> Jim
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list