Plain Mac-Auth - server accepts but client does not connect
mus3 at lehigh.edu
Tue Jan 12 22:29:03 CET 2016
-----BEGIN PGP SIGNED MESSAGE-----
On 01/12/2016 04:11 PM, Alan DeKok wrote:
> On Jan 12, 2016, at 3:55 PM, Munroe Sollog <mus3 at lehigh.edu> wrote:
>> I'm curious about your assertion. I'm just starting to deploy FreeRADIUS in order to do mac
>> auth for a wireless network (Aruba), and I've been following:
>> which seems to contradict your claim. I'm curious if I am misunderstanding something.
> EAP is *required* for wireless networks.
> Mac auth can *reject* on wireless networks. It cannot cause the user to be authenticated on
> wireless networks. This is because the session requires 802.1X session keys, which are derived
> from a *successful* EAP authentication.
> For wired networks without 802.1X, you can do Mac auth.
> For wired networks with 802.1X and *not* Macsec, you can force a user online with Mac auth, by
> faking the EAP success.
> For wired networks with 802.1X and Macsec, Mac auth can reject a user. It cannot cause the
> user to be authenticated. This is because the session requires Macsec session keys, which are
> derived from a *successful* EAP authentication.
> Alan DeKok.
That means that FreeRadius can't be used at all to allow devices that don't support EAP (smart
TVs, wireless sensors, etc) to join any SSID? Is the wiki wrong or am I missing the clarification
in the documentation?
LTS - Network Analyst
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Freeradius-Users