MAC Authentication - Bad Idea?

Brian Candler B.Candler at pobox.com
Wed Feb 2 22:16:35 CET 2011


On Wed, Feb 02, 2011 at 02:00:52PM -0600, Gary Gatten wrote:
> On shared medium, I don't *think* dupe macs will cause much problem,
> unless maybe a congestion algorithm tweaks traffic to/from that mac.  I'm
> not an expert in that area, just speaking from experience.

Layer 1
-------
I have little experience with radio, and if it's a single radio cell with
omnidirectional antenna it might not make much difference (*).

Layer 2
-------
With switches: they learn which port "owns" the MAC address, and then only
send traffic to the latest seen port.  If it keeps changing, there will be
substantial packet loss.

Layer 3
-------
If two people are on the same IP address then of course that will mess
things up royally, so one will have to manually choose a different one.

Now, if two different IPs share the same MAC address, it will usually work
unless one of the devices has IP forwarding enabled.  If they do, then when
terminal A sees frames for B's IP address will forward them to its default
route.  The router will then re-send the packet to B, and hence you will get
a storm of duplicate packets (multiplied by the TTL).

Regards,

Brian.

(*) If the radio station has multiple antennas to beam the signal in the
correct direction, I imagine it might not work well if it sees the same
client in two places at once.



More information about the Freeradius-Users mailing list