Post-Auth LDAP with computer names rather than usernames

Alan DeKok aland at deployingradius.com
Sat Oct 20 14:51:02 CEST 2018


On Oct 20, 2018, at 8:38 AM, Hans-Christian Esperer <hc at hcesperer.org> wrote:
> 
> Well, we don't even know yet what the original poster's intention was.

  That's where it's helpful to ask good questions.  And give useful information, like "we're using WiFi with EAP".

> Maybe it can be solved in a secure and a less secure way? Why point out the
> less secure way first?

  Because of the vague nature of the question.  The MAC approach is almost always available.

> All I meant to do was point out that the mac approach
> has disadvantages to the original approach,

  Which was what?  The "original approach" didn't actually describe the authentication that was being used.

> maybe that's something that wasn't
> taken into consideration by the original poster.

  At this point, we're all just guessing.

> On a personal sidenode, my original motivation to look into freeradius in the
> first place was precisely that I wanted to avoid them portals. =) Not only are
> they utterly insecure, they are also incredibly inconvenient if what you want
> is a stable and long lived wifi connection...

  Hotspot 2.0 is supposed to solve a lot of these problems.

  My point is that it's not useful to complain about the insecurity of MAC addresses.  Everyone knows, and has known for years.  So comments like this:

"I don't understand at all why MAC addresses are used everywhere in security relevant contexts"

  Just show a lack of understanding of *how* things work.  Since solutions are driven by available information, the answer to "why" is simple: It's often the only choice.

  Alan DeKok.




More information about the Freeradius-Users mailing list