EAP used for plain MAC authentication?
Nick Lowe
nick.lowe at gmail.com
Mon Jan 5 15:32:23 CET 2015
On Mon, Jan 5, 2015 at 2:26 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Jan 5, 2015, at 9:23 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> > It would be helpful to have a reference as to why unadorned EAP
> messages, without a Service-Type, are harmful. Anyone know of one?
>
> Nope. There is a “Service-Type = IEEE-802.1X”. That should be used for
> 802.1X. But not many vendors use it that I’ve seen.
>
> Perhaps a better solution would be to have a Service-Type dedicated to
> MAC authentication. Then it wouldn’t matter what authentication method was
> being used. Sadly, it’s too late for that.
Indeed, most vendors will just use a Service-Type of Framed.
For MAC auth, assuming it is not being used for something else by a NAS,
advice that Call-Check is the most appropriate Service-Type to use as the
Calling-Station-Id contains the client MAC address may be helpful.
Nick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150105/111ba3d6/attachment.html>
More information about the Freeradius-Users
mailing list