EAP & MAC Auth accepting only MAC address
FreeRAD
yetifreerad at gmail.com
Thu Oct 17 15:42:14 UTC 2024
Hi,
I'm doing some testing for my FreeRADIUS installation in which I am
performing MAC Auth which, provided the MAC is correct, then performs
EAP-TTLS/PAP auth. This works fine from a Windows client because it forces
you to enter a username and password.
I was performing some testing using the radclient command and noticed that
the unlang code that the MAC auth guide
<https://wiki.freeradius.org/guide/mac-auth#mac-auth-and-802-1x> gives you
allows authentication as long as the MAC address is correct even if there
is no username or password so EAP isn't enforced which doesn't seem right
to me.
I've reduced the code down to this which I *think* would force EAP auth
even if the MAC is correct:
*#If cleaning up the Calling-Station-Id... rewrite_calling_station_id
# always check against the authorized_macs file first authorized_macs
if (!ok) { # Reject if the MAC address was not permitted.
reject } else { eap { ok = return
updated = return } }*
I've then used radeapclient to test which seems ok but is there a better
way of achieving this?
The radeapclient command I used is:
*"User-Name = ,EAP-Code = ,EAP-Id = ,EAP-Type-Identity =
,Message-Authenticator = ,Cleartext-Password = ,Calling-Station-ID= " |
radeapclient auth *
Thanks
More information about the Freeradius-Users
mailing list