EAP used for plain MAC authentication?

Nick Lowe nick.lowe at gmail.com
Mon Jan 5 13:24:27 CET 2015

Do these switches or APs not use a Service-Type of Call-Check when
performing MAC auth then? I would be barking at the vendor if that was

While using an EAP type is rather pointless for MAC address authentication,
there isn't an intrinsic problem doing so. I don't think it's idiotic.

It's where an appropriate, discriminating Service-Type AVP is missing for
CWP auth, MAC auth or something else that it is a problem and you have to
shout at the NAS vendor to get it resolved. That's the idiotic part. (But
let's not forget it's easy to spoof a MAC address on many devices.)

There are other bigger fish to fry too, a bigger issue is where CWP
authentication on an AP doesn't use a TLS-based EAP type while carrying
user credentials.
(While I don't use these personally, many others do. Yes there are other
attacks against CWPs but this doesn't negate this.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150105/e154ff28/attachment.html>

More information about the Freeradius-Users mailing list