MAC auth bypass with freeradius/openldap

Phil Mayers p.mayers at imperial.ac.uk
Wed Jun 22 17:35:41 CEST 2011


On Wed, Jun 22, 2011 at 08:23:09AM -0700, g17jimmy wrote:
>I guess I was too quick to call it, and it looks like the problem is still on
>the NAS. You will see that the client first gets access using the MAC
>address as the CSID, but at some point, the client or NAS decieded to
>re-auth but this time using the IP address that the client had acquired.
>It's doesn't look like it's associated with the reauthentication period as
>that is set to 1 hour and the issue occurred within about 10 minutes. I'm
>pretty sure this has nothing to do with radius and everything to do with my
>switch config, so sorry if this post is inappropriate.

These are accounting packets, not authentication packets. They're 
basically status messages from the NAS to the radius server telling you 
the session is "alive".

Presumably it's snooping ARP or DHCP which is why it changes to using 
IP.

If you don't need accounting you can just ignore this.




More information about the Freeradius-Users mailing list