EAP & MAC Auth accepting only MAC address

FreeRAD yetifreerad at gmail.com
Thu Oct 17 15:42:14 UTC 2024


Hi,

I'm doing some testing for my FreeRADIUS installation in which I am
performing MAC Auth which, provided the MAC is correct, then performs
EAP-TTLS/PAP auth. This works fine from a Windows client because it forces
you to enter a username and password.

I was performing some testing using the radclient command and noticed that
the unlang code that the MAC auth guide
<https://wiki.freeradius.org/guide/mac-auth#mac-auth-and-802-1x> gives you
allows authentication as long as the MAC address is correct even if there
is no username or password so EAP isn't enforced which doesn't seem right
to me.

I've reduced the code down to this which I *think* would force EAP auth
even if the MAC is correct:

















*#If cleaning up the Calling-Station-Id...    rewrite_calling_station_id
# always check against the authorized_macs file first    authorized_macs
if (!ok) {    # Reject if the MAC address was not permitted.
reject    }    else {        eap {            ok = return
updated = return           }    }*

I've then used radeapclient to test which seems ok but is there a better
way of achieving this?

The radeapclient command I used is:
*"User-Name = ,EAP-Code = ,EAP-Id = ,EAP-Type-Identity =
,Message-Authenticator = ,Cleartext-Password = ,Calling-Station-ID= " |
radeapclient  auth *

Thanks


More information about the Freeradius-Users mailing list