MAC Address auth?!

Sun Dec 24 17:51:09 UTC 2023

Usually, 2FA means 1) sth you know 2) sth you have. So, in theory, you 1) know the shared secret and you 2) "have" the MAC address.

However I think this combination is stretching the definition a bit, as it's not really you, but the device having that last factor. Also, the first factor is not unique.

The proposed way does not authenticate the user connecting to the network at all.

Also, WPA Personal has nothing to do with 802.1x which is about EAP, i.e. the "Enterprise" way. Don't be fooled by "802.1x in MAC mode".

On December 24, 2023 5:29:20 PM GMT+01:00, Marco Gaiarin <gaio at lilliput.linux.it> wrote:
>
>A consultant in a session speak about 'MAC address authentication', using
>Unifi APs/management software, and describing it a '2FA'.
>
>
>If i understood well, enabling a specific options:
>
>	https://help.ui.com/hc/en-us/articles/115004589707-RADIUS-Based-MAC-Authentication-and-802-1X
>
>i can connect suppicant to the network (via WPA2/3-Personal, so a shared
>secret) and then do a second-step authorization using radius, but where
>account are in the form 'AABBCCDDEEFF' (uppercase MAC address) and password
>is identical to the user.
>
>
>This seems '0,5FA': 0,5 for a shared passwod, 0 for account where password is
>identical to username.
>
>But effectivaly i found in google some setups like that, that really i don't
>understand. Someone have some clue?
>
>
>This seems to me real 2FA...
>
>	https://wiki.freeradius.org/guide/2FA-Active-Directory-plus-Proxy
>
>
>Thanks.
>
>-- 
>  Vendere no, non passa tra i miei rischi,
>  non comprate i miei dischi e sputatemi addosso.	(F. Guccini)
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html