[EXT] Wireless 802.1x with MAB as fallback and FreeRadius

[Rodrigo Antunes]

Like I said in the earlier email we need the IoT devices to connect in the same SSID, is this doable in freeradius or not?

I have thought that if this is doable with ISE it could be doable with freeradius.

I know this is doable in wired dot1x with mab, for devices that dont support dot1x the switch sends the mac fo freeradius and it allows the connection.






Em quarta-feira, 16 de julho de 2025 às 16:17:11 BRT, Brian Julin <bjulin at clarku.edu> escreveu: 






Rodrigo Antunes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>  But we have some IoT devices that don't support 802.1x, is it possible to make them connect to the same SSID with some kind of fallback?

Instead of this we have the IoT devices use a different SSID that beacons as WPA-Personal, but can if we want put them on the same VLAN after authentication.  Then we use some vendor-specific tags to give each IoT device its own PSK for WPA2-Personal in our registration database so we don't have a published shared secret out there to be abused.  We use Aruba where they call that MPSK, Cisco's term for that is IPSK.

> I saw a lot of articles teaching how to do this in ISE.  Basically you enable Mac Authentication Bypass in the wireless controller and then it sends the mac to the radius server, if the mac is invalid then it try 802.1x.

If there is not at least a WPA3 OWE setup or everyone has not already entered a PSK into IoT devices, then the traffic won't be encrypted and you'd essentially be running an Open SSID overlayed on your Enterprise SSID.  People use d to do that for captured portal registration stuff ISTR.  Otherwise, how the clients would even try to use a PSK on an SSID that is beaconing
for WPA-Enterprise I don't know how you managed that... (maybe .11u/hotspot?)  I don't imagine today's current production batch of IOT has universal support for WPA3, and in either case (OWE or everyone knows the PSK) you are opening yourself up to evil twin attacks without some way of the IOT device ensuring it is indeed talking to your equipment and not someone else's.

> I tried that, but when the client connects to the ssid It sends the MAC and is rejected by radius.
> It doesn't try 802.1x.

I would not expect it to try EAP for a client that does not present EAP,  it's more work for the controllers than needed.  I would, however, expect the default FreeRADIUS config to figure out that it is not EAP and take the authentication through the control path for whatever method is presented.  Set up radmin, run a debug on a client MAC of interest, and see what sections the control flows through.  Then you'll see where you may need to activate modules to handle the auth or provide additional configuration to, e.g. if it says "no Auth-Type configured for PAP" you'd know you are missing PAP configuration.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html