EAP used for plain MAC authentication?

Nick Lowe nick.lowe at gmail.com
Mon Jan 5 21:41:51 CET 2015


On Mon, Jan 5, 2015 at 8:17 PM, Marki <jm+freeradiususer at roth.lu> wrote:

> In fact the switches correctly react to an Access-Accept or Access-Reject,
> but don't set the VLAN correctly without EAP.

I consider this a bug as there should be a separation of concerns here. It
is totally unnecessary and a layering violation to couple to EAP.

> In fact I have a call open with Cisco about this, and it would now be great
> if I had some strong arguments why using EAP here is just sick, or why some
> things only work with EAP while the rest also works out-of-the-box.

I don't have a problem with EAP being used for MAC auth. A NAS could, for
example, use a fixed, constant username and password to perform MAC address
authentication, only passing the MAC address in the Calling-Station-Id,
instructing that this value should be authenticated using the Service-Type
of Call-Check.

This is useful as it means you can use a single directory account for MAC
auth without having to mess around.

I do want to see Cisco implement and support a fixed, constant username and
password authentication for MAB in a future IOS release. (As an option.)

If a Service-Type is missing, this is a bug where other authentication
types are supported as it becomes awkward, hackish and potentially
unreliable to discriminate between the type of service being used by a
client. It becomes a broken NAS at this point.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150105/a786c863/attachment-0001.html>

More information about the Freeradius-Users mailing list