You are correct about being able to sneeze and break into the network. But luckily all machines with that prefix will be placed into a Ethernet Only VLAN. The Devices with that prefix belong to a Ethernet based phone system (www.3com.com/nbx) so anyone who breaks into that vlan will only be able to see the broadcast Ethernet packets the phones are sending out occasionally. As a extra layer of security the phone system itself will only communicate with phones that have already been configured in its internal mac table list.
Thanks for the help Jason -----Original Message----- From: [EMAIL PROTECTED] org [mailto:[EMAIL PROTECTED] eradius.org] On Behalf Of Dennis Skinner Sent: Wednesday, May 10, 2006 3:54 PM To: FreeRadius users mailing list Subject: Re: Wildcards in Username and Passwd Jason Montgomery wrote: > Hello I have a customer who would like to have 100% MAC address lock > down on their network. To do that we are able to have the Ethernet > Switches Send the Device MAC address as the Username and password to the > Radius Server. The question I have is on the radius server is it > possible to set a wildcard so that any device showing "00-E0-BB" as the > MAC Address prefix will automatically be accepted then I can throw the > usual variables back at the port. If this is possible then I can avoid > having to enter 300 Devices into the Radius table. This may give you some ideas: http://wiki.freeradius.org/index.php/Adding%2C_Removing%2C_Modifying_Att ributes_for_further_processing But, I should warn you, that anyone wanting to break into your customers' network can sneeze and have a machine fake a MAC address. Hell, some Cisco equipment even have a builtin command to do it (handy for replacing/upgrading routers without messing up local ARP tables). Hopefully there is some other form of authentication. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html