check user device mac address without doing mac-auth

Eby Mani eby_km at yahoo.com
Wed Mar 22 15:44:44 UTC 2023 

 Many thanks,

> You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.

Are you talking about "authorized_macs" file or mac mapped(Calling-Station-Id) to particular user in users file ?.

> The devices MAC comes in the RADIUS packet. So it is trivial to match a user to a particular device.

Is it not possible to grab Calling-Station-Id from Access-Request and check against db ?. 

Somewhere i read additional checks can be done with Calling-Station-Id when using PPP. Does this feature only work with PPP / SLIP ?.

Thanks,
     On Wednesday, 22 March, 2023, 08:16:38 pm IST, Alan DeKok <aland at deployingradius.com> wrote:  
 
 On Mar 22, 2023, at 10:40 AM, Eby Mani via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Is it possible to check mac address of user device when doing standard 802.1x authentication and allow access without doing mac-auth + 802.1x ?.

  No.

  You can reject a user when doing 802.1X authentication if their MAC does not match an expected MAC.

  You cannot force authentication to succeed if the MAC is known, but 80-2.1X authentication fails.  It's impossible.

> The requirement is to restrict users from connecting from other devices(say BYOD) other than IT approved device allocated to user.

  That can be done:

    if (mac is not known) {
        reject
    }

> When using mac-auth-802.1x, server have no way of knowing which device the user is mapped to and user can connect from any authorised device in the list.

  The devices MAC comes in the RADIUS packet.  So it is trivial to match a user to a particular device.

> Questions,
> 1, Is there a guide on how to achieve this with mysql integration ?.

 No.  You cannot force authentication to succeed.

> 2a, Is it recommended to add new columns to include mac-addr in radcheck table ?.

  No.

> 2b, If so, will freeradius automatically check new columns values and do access-accept/reject  automatically ?.

  Absolutely not.  You can't just add a column, and have FreeRADIUS magically know what the column means, and how to use it.

  Alan DeKok.

More information about the Freeradius-Users mailing list