Plain Mac-Auth - server accepts but client does not connect

[Munroe Sollog]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 01/12/2016 04:11 PM, Alan DeKok wrote:
> On Jan 12, 2016, at 3:55 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
>> I'm curious about your assertion.  I'm just starting to deploy FreeRADIUS in order to do mac
>> auth for a wireless network (Aruba), and I've been following:
>> 
>> http://wiki.freeradius.org/guide/mac-auth#plain-mac-auth
>> 
>> which seems to contradict your claim.  I'm curious if I am misunderstanding something.
> 
> Yes.
> 
> EAP is *required* for wireless networks.
> 
> Mac auth can *reject* on wireless networks.  It cannot cause the user to be authenticated on
> wireless networks.  This is because the session requires 802.1X session keys, which are derived
> from a *successful* EAP authentication.
> 
> For wired networks without 802.1X, you can do Mac auth.
> 
> For wired networks with 802.1X and *not* Macsec, you can force a user online with Mac auth, by
> faking the EAP success.
> 
> For wired networks with 802.1X and Macsec, Mac auth can reject a user.   It cannot cause the
> user to be authenticated.  This is because the session requires Macsec session keys, which are
> derived from a *successful* EAP authentication.
> 
> Alan DeKok.
> 

That means that FreeRadius can't be used at all to allow devices that don't support EAP (smart
TVs, wireless sensors, etc) to join any SSID?  Is the wiki wrong or am I missing the clarification
in the documentation?
- -- 
Munroe Sollog
LTS - Network Analyst
x85002
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWlXAeAAoJEPbbZiWCKDVCs9UH/2fKvL+YOYZYQThoGBgiOrA6
3kyBxijPIzhUAtmNJzhl9PwMdrOn8SJlooofbm1wrdHTO0vtNH4aLeJTrBmYizpT
afSvX+eiRlZ7/pKEAyDV3Fxdax4bLhMQXQDNr+J7iI1pMlRaE5YzWJYs/dA1vM40
oHXkpk4R/yb3vtzLt6MAo6mY+vizxYa6tyUK+0p4h+vpKPehPxA+jTPYGmyenTFo
n+f3I4iZIrCUmdaOFRLqWGqPf7srtFOV/LKiowNW796usTleiTfPkZBc5FkXmwMS
m8Q4jF0b2QFAq+v6mRYWMyn2DPheXb6KptgQlkW302VbbP9Ai8v81XZXrIwwG2w=
=ryyf
-----END PGP SIGNATURE-----