EAP used for plain MAC authentication?
Nick Lowe
nick.lowe at gmail.com
Mon Jan 5 13:24:27 CET 2015
Do these switches or APs not use a Service-Type of Call-Check when
performing MAC auth then? I would be barking at the vendor if that was
missing.
While using an EAP type is rather pointless for MAC address authentication,
there isn't an intrinsic problem doing so. I don't think it's idiotic.
It's where an appropriate, discriminating Service-Type AVP is missing for
CWP auth, MAC auth or something else that it is a problem and you have to
shout at the NAS vendor to get it resolved. That's the idiotic part. (But
let's not forget it's easy to spoof a MAC address on many devices.)
There are other bigger fish to fry too, a bigger issue is where CWP
authentication on an AP doesn't use a TLS-based EAP type while carrying
user credentials.
(While I don't use these personally, many others do. Yes there are other
attacks against CWPs but this doesn't negate this.)
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150105/e154ff28/attachment.html>
More information about the Freeradius-Users
mailing list