Plain Mac-Auth - server accepts but client does not connect
Alan DeKok
aland at deployingradius.com
Tue Jan 12 22:11:15 CET 2016
On Jan 12, 2016, at 3:55 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
> I'm curious about your assertion. I'm just starting to deploy FreeRADIUS in order to do mac auth
> for a wireless network (Aruba), and I've been following:
>
> http://wiki.freeradius.org/guide/mac-auth#plain-mac-auth
>
> which seems to contradict your claim. I'm curious if I am misunderstanding something.
Yes.
EAP is *required* for wireless networks.
Mac auth can *reject* on wireless networks. It cannot cause the user to be authenticated on wireless networks. This is because the session requires 802.1X session keys, which are derived from a *successful* EAP authentication.
For wired networks without 802.1X, you can do Mac auth.
For wired networks with 802.1X and *not* Macsec, you can force a user online with Mac auth, by faking the EAP success.
For wired networks with 802.1X and Macsec, Mac auth can reject a user. It cannot cause the user to be authenticated. This is because the session requires Macsec session keys, which are derived from a *successful* EAP authentication.
Alan DeKok.
More information about the Freeradius-Users
mailing list