FreeRADIUS Authentication/Authorization

Matthew Newton mcn4 at leicester.ac.uk
Wed Nov 9 14:24:10 CET 2016


On Wed, Nov 09, 2016 at 10:45:49AM -0200, Luiz Fernando Mizael Meier wrote:
> Today we have an PSK SSID and it is a mess. We change the password and
> after a week the whole world already know the password again.

Which is the problem with shared secrets.

> Now we have some computers to run specific softwares. This machines aren't
> joined our domain and we don't want them to. They are just a terminal for
> specific use only. The problem with the PSK is the security.

Sounds like the ideal situation for EAP-TLS and certificates.

> If we could validate this machines via mac and not asking for
> username/password would be the perfect scenario. I though I could do this
> authorization based in the link below, but I think I am misunderstanding
> something.

The options are:

 - 802.1X (EAP) on its own
 - 802.1X *and* MAC auth
 - MAC auth

As this is wireless, you're stuck with the 802.1X bit unless you
do PSK. So you can either do it on its own, or in combination with
MAC auth.

Some wireless systems will let you do PSK with MAC auth against
RADIUS IIRC.

But MAC auth isn't really "auth", more like a filter with very
large holes.

So as I wrote before. You can't do 802.1X/EAP MAC-auth only.

Matthew


-- 
Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list