RE: EAP-TLS and MAC Authentication
> > how would that have worked anyway - you need the key exchange and > > the right type of EAP for WPA and wireless > > > > alan > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > The only way I can think of it working was if using Cisco's local MAC > list on the AP itself. I tried testing briefly with EAP and MAC set > FR only. In about a minute or so, I received about 2K EAP requests > all returning Access-Reject. If I get a few spare moments to test, > I'll try adding my MAC to the local list and tell the AP to use the > local list for MAC and FR for EAP. I have a feeling this might work, > but I am certainly not going back to maintaining MAC lists on all of > our APs (both because I'd have to modify the APs again to have enough > storage space to hold the MAC list and because it's a pain to keep > that many lists in sync) and I think using a check in FR is a much > cleaner solution in many ways. > > -- > John McDonnell > Penn Cambria School District > mcdon...@pcam.org > O< ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org Yes, when checking the MAC against the local list, it works. It checks the MAC against the local list before attempting to forward any packets to FR for EAP. When using a lightweight AP instead of an autonomous AP, I suppose this list is kept on the controller and distributed to the APs. This is the only way that seems like it would be of any use. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O< ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and MAC Authentication
> Hi, > > I've been told that Cisco APs won't do WPA with MAC auth in recent > versions of IOS. > > how would that have worked anyway - you need the key exchange and the > right type of EAP for WPA and wireless > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html The only way I can think of it working was if using Cisco's local MAC list on the AP itself. I tried testing briefly with EAP and MAC set FR only. In about a minute or so, I received about 2K EAP requests all returning Access-Reject. If I get a few spare moments to test, I'll try adding my MAC to the local list and tell the AP to use the local list for MAC and FR for EAP. I have a feeling this might work, but I am certainly not going back to maintaining MAC lists on all of our APs (both because I'd have to modify the APs again to have enough storage space to hold the MAC list and because it's a pain to keep that many lists in sync) and I think using a check in FR is a much cleaner solution in many ways. -- John McDonnell Penn Cambria School District mcdon...@pcam.org O< ASCII Ribbon Campaign - Stop HTML e-mail! - www.asciiribbon.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
Hi, > I've been told that Cisco APs won't do WPA with MAC auth in recent versions > of IOS. how would that have worked anyway - you need the key exchange and the right type of EAP for WPA and wireless alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
I've been told that Cisco APs won't do WPA with MAC auth in recent versions of IOS. -John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
John McDonnell wrote: > I don't know if you have any experience with the 1100 series access points > from Cisco, but they have a setting called EAP and MAC authentication. I'm > not sure how it is implemented, but I would imagine I should just set it > to do EAP and have FR itself do the MAC check as part of the > authorization? Yes. Having AP's implement policies is a recipe for disaster. > We're not really tracking MACs per se right now, we only require the MAC > to be a valid MAC. We don't check for duplicates. Combined with using WEP, > it currently makes for a very unsecure network, hence why I want to switch > to using certificates. I've learned a lot about how RADIUS, and FR in > particular, works in the past year, but I still have a lot to learn. I > understand a new book on FR has been in the works, which would be a great > help I'm sure. In the meantime, I try to keep track of the users list and > do some reading (a lot of it outdated) on the web. I'm trying to find time to finish the book. :( > I suppose doing the MAC authentication wouldn't really add much overhead > at all if done by the FR server itself and not separate calls from the AP, > so I will look into how to do this. Any pointers or hints would greatly be > appreciated. raddb/modules/mac* They're not examples for RADIUS, but the principles should be the same. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS and MAC Authentication
> -Original Message- > John McDonnell wrote: > > I'm not doing any dynamic VLAN assignments over the wireless so I > really don't see any need for MAC authentication and just see it as > unneeded overhead. Is there any reason why I'm wrong with this > assumption? > > It never hurts. You can do *both* EAP && MAC auth at the same > time. I don't know if you have any experience with the 1100 series access points from Cisco, but they have a setting called EAP and MAC authentication. I'm not sure how it is implemented, but I would imagine I should just set it to do EAP and have FR itself do the MAC check as part of the authorization? > It stops people who share their passwords. If you do login > tracking, you can see if two MACs have logged in at the same time, > too. This was why I was originally going to enable both EAP and MAC but then wondered if it would just be overhead since I plan on going the certificate route. Right now, the only laptops we want to allow on the wireless network are the ones that we received from the Classrooms for the Future (CFF) grant. This summer I will be touching each of these computers (I'll be imaging all of the student laptops and updating the teacher ones individually) and will install the certificates during the procedure. > This stops a large percentage of bad behavior. > > If you're *not* tracking MACs right now, you have no idea who's > on your network. > > Alan DeKok. We're not really tracking MACs per se right now, we only require the MAC to be a valid MAC. We don't check for duplicates. Combined with using WEP, it currently makes for a very unsecure network, hence why I want to switch to using certificates. I've learned a lot about how RADIUS, and FR in particular, works in the past year, but I still have a lot to learn. I understand a new book on FR has been in the works, which would be a great help I'm sure. In the meantime, I try to keep track of the users list and do some reading (a lot of it outdated) on the web. The goal of my updates to the wireless network over the summer is to make the network more secure without our users actually having to do anything different. Whether that's installing certificates or using PEAP with the username/password saved on the laptop, we don't currently want to make things more difficult for the teachers/students. Hopefully one of the updates my boss will be doing over the summer will be to get LDAP working properly at which point switching to TTLS or PEAP will become much more attractive than they currently are. I suppose doing the MAC authentication wouldn't really add much overhead at all if done by the FR server itself and not separate calls from the AP, so I will look into how to do this. Any pointers or hints would greatly be appreciated. -- John McDonnell Penn Cambria School District mcdon...@pcam.org smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS and MAC Authentication
John McDonnell wrote: > I'm not doing any dynamic VLAN assignments over the wireless so I really > don't see any need for MAC authentication and just see it as unneeded > overhead. Is there any reason why I'm wrong with this assumption? It never hurts. You can do *both* EAP && MAC auth at the same time. It stops people who share their passwords. If you do login tracking, you can see if two MACs have logged in at the same time, too. This stops a large percentage of bad behavior. If you're *not* tracking MACs right now, you have no idea who's on your network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
