I will offer the caution that in a captive portal, in regard to accountability, MAC harvesting is an all or nothing proposition. You will be surprised how often computers are loaned and authenticated using different accounts. If you harvest for one population, that population will eventually borrow significantly, computers owned by neighbor populations. This is not to imply that it is a bad idea, just that there is overlap that you should be aware of. Randy
________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv on behalf of Ryan Lininger Sent: Tue 7/1/2008 10:34 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Using MAC Authentication We have been considering something similar. Our thought was to use MAC authentication via radius to our wired NAC system. The idea being that if they registered their system then the MAC would be in the database and they wouldn't get the captive portal at login. (Before I get flamed, our NAC registers all NIC's, wired and wireless, at the time of registration.) This is just a theory here at the moment so I can't speak to the effectiveness, usage, etc. but I like the idea. The main concern I have related to MAC authentication, however, is MAC spoofing. It is very easy to spoof a wireless MAC address so if that is your form of authentication then it is very easy to bypass your authentication. Ryan Lininger Network Systems Engineer Denison University p 740.587.6229 f 740.587.5722 [EMAIL PROTECTED] Michael Dickson wrote: > We are considering using MAC authentication to allow users to bypass > the captive portal web login page to access our wireless network. This > is considered sort of a stop-gap measure until 802.1x is fully > implemented. > > Is anyone maintaining (by harvesting or user-initiated manual entry) a > MAC auth table after initial captive portal login so that users can > bypass the web login page every time they connect? > > We are considering a manual opt-in process instead of an auto-harvest > and we would not harvest MAC addresses of folks with guest accounts. > > Is this generally a good idea? What is the down side of not making > users sign in every session? > > As an aside, we are considering extending the dhcp lease times and the > reauth intervals so that users don't have to log in again if they walk > to class from their dorms, etc. > > We are an Aruba shop. We currently have an open SSID, no encryption, > with captive portal as the only point of authentication. 802.1x > rollout expected soon. > > As always, thanks for the help! > > Mike > > *************************************************************** > Michael Dickson Phone: 413-545-9639 > Network Analyst [EMAIL PROTECTED] > University of Massachusetts > Network Systems and Services > *************************************************************** > > ********** > Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
