EAP used for plain MAC authentication?

Phil Mayers p.mayers at imperial.ac.uk
Mon Jan 5 12:38:23 CET 2015

On 03/01/15 23:16, jm+freeradiususer at roth.lu wrote:

> In this case, the switch supports EAP MD5 functionality with the
> username and password equal to the client MAC address
> --end quote--
> It's mainly that last sentence that I'm wondering about.

Yeah, a couple of vendors do that (Juniper, for example). A "MAC auth" 
request is sent as an EAP-MD5 request with the username and password as 
the MAC address.

Personally I think this is idiotic at best, and insecure at worst. In 
particular, if the requests don't contain an attribute to distinguish 
between EAP-based MAC-auth and real user-based EAP - and some vendors 
don't - a real user can just set their username and password to their 
MAC address and waltz right in.

More information about the Freeradius-Users mailing list