EAP & MAC Auth accepting only MAC address
Alan DeKok
aland at deployingradius.com
Fri Oct 18 13:23:02 UTC 2024
On Oct 17, 2024, at 11:42 AM, FreeRAD <yetifreerad at gmail.com> wrote:
> I'm doing some testing for my FreeRADIUS installation in which I am
> performing MAC Auth which, provided the MAC is correct, then performs
> EAP-TTLS/PAP auth. This works fine from a Windows client because it forces
> you to enter a username and password.
That's good.
> I was performing some testing using the radclient command and noticed that
> the unlang code that the MAC auth guide
> <https://wiki.freeradius.org/guide/mac-auth#mac-auth-and-802-1x> gives you
> allows authentication as long as the MAC address is correct even if there
> is no username or password so EAP isn't enforced which doesn't seem right
> to me.
It's an example. You can still change ie.
> I've reduced the code down to this which I *think* would force EAP auth
> even if the MAC is correct:
> ...
> *#If cleaning up the Calling-Station-Id... rewrite_calling_station_id
> # always check against the authorized_macs file first authorized_macs
> if (!ok) { # Reject if the MAC address was not permitted.
> reject } else { eap { ok = return
> updated = return } }*
That is almost unreadable. But yes, you can reject instead of accept if there's no EAP.
> I've then used radeapclient to test which seems ok but is there a better
> way of achieving this?
It's fine.
Alan DeKok.
More information about the Freeradius-Users
mailing list