MAC Authentication - Bad Idea?
Brett Littrell
Blittrell at musd.org
Wed Feb 2 22:09:11 CET 2011
I think it depends on the OS, if a OS is trusting and accepts everything up the stack from Layer 2 if the MAC address matches it could start to get confused and cause all sorts of issues. If the device keeps some kind of state table for connections and rejects all others there may not be to much of an issue. Naturally in the switched environment it would not work at all.
As far a Mac auth, we do that here as well, basically for printers and such and as you stated you just enter the MAC address for the password then push out the tunnel Group ID, tunnelmediumtype and tunnel-type. Of course this is on a switched network but for our Wireless it works remarkably similar yet again we use username/password authentication on that. We do not have to worry to much about session hijacking or MAC spoofing on the wireless side because we use WPA2 with AES and dot1x on the auth side.
One thing you may want to do is have a default unprotected vlan that is the default network, have it go directly web page with instructions on connecting with a secure connection. If you care anything about your users/customers I would say at least offer them some kind of protection, it is just to easy to sniff unprotected wireless networks.
--
Brett Littrell
Network Manager
MUSD
CISSP, CCSP, CCVP, MCNE
>>> On Wednesday, February 02, 2011 at 12:00 PM, in message
<8860_1296676852_4D49B7F4_8860_589_1_D9B37353831173459FDAA836D3B43499AF0FA683 at WA
PMBXV0.waddell.com>, Gary Gatten <Ggatten at waddell.com> wrote:
> On shared medium, I don't *think* dupe macs will cause much problem, unless
> maybe a congestion algorithm tweaks traffic to/from that mac. I'm not an
> expert in that area, just speaking from experience.
>
More information about the Freeradius-Users
mailing list