802.1x and MAC Authentication

Connor Herring connorrjherring at gmail.com
Tue Sep 24 15:36:49 UTC 2024 

Hi All,

Is someone able to take a look at this for me please?

As mentioned I just need to know if:
Removing else from the aforementioned statement would cause any issues
further down the line currently the statement looks like this












*  if (!ok) {    # Reject if the MAC address was not permitted.
    reject    }    # If this is NOT 802.1x, mac-auth    if (!EAP-Message)
{            # MAC address has already been checked, so accept
update control {                    Auth-Type := Accept            }    }*

and once this is complete it just continues through to EAP auth and then to
the inner tunnel server based on the debug logs. So everything looks fine
at a glance but thought I'd check since this isn't how it's configured in
the documentation.

If you need any further information please let me know.

Kind regards,

Connor

On Mon, Sep 23, 2024 at 3:42 PM Connor Herring <connorrjherring at gmail.com>
wrote:

> Hi All,
>
> I am attempting to setup my server so that it now checks a MAC address and
> then provided the MAC address is ok it then moves on to performing EAP
> authentication. This seems to be working fine but I noticed something in
> the logs that I wanted to query. I am using this guide
> <https://wiki.freeradius.org/guide/Mac-auth#mac-auth-and-802-1x>.
>
> Whenever the RADIUS server sends an Access-Challenge, it still sends the
> usual EAP-Message, Message-Authenticator, and State attributes, however it
> now also sends a Reply-Message on the line above these in the format of the
> one in the aforementioned guide:
>
> Reply-Message = "Device with MAC Address %{Calling-Station-Id} authorized for network access"
>
> Doesn't seem like something to worry about just wondered if there was any
> way around this?
>
> Further to this the guide says:
>
> if (!ok) {
>         # Reject if the MAC address was not permitted.
>                 reject
>         }
>
>         # If this is NOT 802.1x, mac-auth
>         if (!EAP-Message) {
>                 # MAC address has already been checked, so accept
>                 update control {
>                         Auth-Type := Accept
>
> Unless I am misunderstanding this is saying, "check the MAC address, if
> this isn't correct then continue. If it is correct but someone isn't using
> EAP then just allow them through". Surely unless someone were to comment
> out all authentication modules besides EAP in the default server, this
> would just allow someone to get onto the network with a correct MAC even if
> they don't have auth credentials?
>
> Kind regards,
>
> Connor
>
>

More information about the Freeradius-Users mailing list