802.1x and MAC Authentication

dominic.stalder at unibe.ch dominic.stalder at unibe.ch
Mon Sep 23 14:51:38 UTC 2024 

Hi Connor

Sorry, not yet able to provide you any help on your question at the moment, but I am in the middle of implementing the same use case at this exact moment:

1. MAC authentication with a REST API call to Infoblox first

2. 802.1X / PEAP authentication, only first auth above was successful

Are you authorizing the mac addresses against the authorized_macs file on FreeRADIUS server or towards something else (eg. SQL, REST API, something else)?

Regards
Dominic

Am 23.09.24, 16:43 schrieb "Freeradius-Users im Auftrag von Connor Herring" <freeradius-users-bounces+dominic.stalder=unibe.ch at lists.freeradius.org <mailto:unibe.ch at lists.freeradius.org> im Auftrag von connorrjherring at gmail.com <mailto:connorrjherring at gmail.com>>:


Hi All,


I am attempting to setup my server so that it now checks a MAC address and
then provided the MAC address is ok it then moves on to performing EAP
authentication. This seems to be working fine but I noticed something in
the logs that I wanted to query. I am using this guide
<https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x> <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x;>.


Whenever the RADIUS server sends an Access-Challenge, it still sends the
usual EAP-Message, Message-Authenticator, and State attributes, however it
now also sends a Reply-Message on the line above these in the format of the
one in the aforementioned guide:


Reply-Message = "Device with MAC Address %{Calling-Station-Id}
authorized for network access"


Doesn't seem like something to worry about just wondered if there was any
way around this?


Further to this the guide says:


if (!ok) {
# Reject if the MAC address was not permitted.
reject
}


# If this is NOT 802.1x, mac-auth
if (!EAP-Message) {
# MAC address has already been checked, so accept
update control {
Auth-Type := Accept


Unless I am misunderstanding this is saying, "check the MAC address, if
this isn't correct then continue. If it is correct but someone isn't using
EAP then just allow them through". Surely unless someone were to comment
out all authentication modules besides EAP in the default server, this
would just allow someone to get onto the network with a correct MAC even if
they don't have auth credentials?


Kind regards,


Connor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <http://www.freeradius.org/list/users.html>

More information about the Freeradius-Users mailing list