FreeRADIUS Authentication/Authorization

Luiz Fernando Mizael Meier lfmmeier at
Wed Nov 9 14:57:40 CET 2016


Thanks for you answer. We're been thinking and we'll problably go to sql.
Today we already validate via sql the mac addresses (in authorization
step). I was thinking in some way to ignore the username/password(in
authentication step) if it is one of these special machines, once there is
no way to not prompt them to.

Thanks in advance.


2016-11-09 11:24 GMT-02:00 Matthew Newton <mcn4 at>:

> On Wed, Nov 09, 2016 at 10:45:49AM -0200, Luiz Fernando Mizael Meier wrote:
> > Today we have an PSK SSID and it is a mess. We change the password and
> > after a week the whole world already know the password again.
> Which is the problem with shared secrets.
> > Now we have some computers to run specific softwares. This machines
> aren't
> > joined our domain and we don't want them to. They are just a terminal for
> > specific use only. The problem with the PSK is the security.
> Sounds like the ideal situation for EAP-TLS and certificates.
> > If we could validate this machines via mac and not asking for
> > username/password would be the perfect scenario. I though I could do this
> > authorization based in the link below, but I think I am misunderstanding
> > something.
> The options are:
>  - 802.1X (EAP) on its own
>  - 802.1X *and* MAC auth
>  - MAC auth
> As this is wireless, you're stuck with the 802.1X bit unless you
> do PSK. So you can either do it on its own, or in combination with
> MAC auth.
> Some wireless systems will let you do PSK with MAC auth against
> But MAC auth isn't really "auth", more like a filter with very
> large holes.
> So as I wrote before. You can't do 802.1X/EAP MAC-auth only.
> Matthew
> --
> Matthew Newton, Ph.D. <mcn4 at>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> For IT help contact helpdesk extn. 2253, <ithelp at>
> -
> List info/subscribe/unsubscribe? See
> list/users.html

More information about the Freeradius-Users mailing list