Post-Auth LDAP with computer names rather than usernames
Alan DeKok
aland at deployingradius.com
Sat Oct 20 14:51:02 CEST 2018
On Oct 20, 2018, at 8:38 AM, Hans-Christian Esperer <hc at hcesperer.org> wrote:
>
> Well, we don't even know yet what the original poster's intention was.
That's where it's helpful to ask good questions. And give useful information, like "we're using WiFi with EAP".
> Maybe it can be solved in a secure and a less secure way? Why point out the
> less secure way first?
Because of the vague nature of the question. The MAC approach is almost always available.
> All I meant to do was point out that the mac approach
> has disadvantages to the original approach,
Which was what? The "original approach" didn't actually describe the authentication that was being used.
> maybe that's something that wasn't
> taken into consideration by the original poster.
At this point, we're all just guessing.
> On a personal sidenode, my original motivation to look into freeradius in the
> first place was precisely that I wanted to avoid them portals. =) Not only are
> they utterly insecure, they are also incredibly inconvenient if what you want
> is a stable and long lived wifi connection...
Hotspot 2.0 is supposed to solve a lot of these problems.
My point is that it's not useful to complain about the insecurity of MAC addresses. Everyone knows, and has known for years. So comments like this:
"I don't understand at all why MAC addresses are used everywhere in security relevant contexts"
Just show a lack of understanding of *how* things work. Since solutions are driven by available information, the answer to "why" is simple: It's often the only choice.
Alan DeKok.
More information about the Freeradius-Users
mailing list