Re: AW: AW: MAC authentification

Wed, 22 Oct 2008 07:46:54 -0700

I'm slightly curoous here. What happens when Script Kiddie then spoofs an appropriate MAC address? You have other mitigating measures in place? 

Sent from my iPhone
On 22 Oct 2008, at 12:12, Arran Cudbard-Bell <[EMAIL PROTECTED] > wrote: 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The scheme used almost universally for Mac-Based authentication is
User-Name == Calling-Station-ID, unfortunately the format of the two mac 
addresses often differ.

Here are the examples from our configuration to perform mac-based
authorisation.
- ---
authorize {

# Rewrite called station id attributes into a standard format.
if("%{Calling-Station-Id}" =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f] {2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ 
       update request {
               Calling-Station-Id := "%{1}%{2}%{3}%{4}%{5}%{6}"
       }
}

if("%{User-Name}" =~
/^([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})[-:]?([0-9a-f] {2,})[-:]?([0-9a-f]{2})[-:]?([0-9a-f]{2})/i){ 
       update request {
               User-Name := "%{1}%{2}%{3}%{4}%{5}%{6}"
       }
}


if("%{User-Name}" =~ /^%{Calling-Station-Id}$/i){
   update control {
       Autz-Type = 'mac-based'
   }
}


# Authorisation based on mac address
Autz-Type mac-based  {
   # This is where you do your authorisation checks
   update control {
       Auth-Type := 'Accept'
   }
}

}

- ---

No you don't need passwords, you force the server to send an
Access-Accept or Access-Reject packet based on your authorisation
policies for certain Mac-Addresses.


Thanks,
Arran


- --
Arran Cudbard-Bell ([EMAIL PROTECTED]),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkj/Cq4ACgkQcaklux5oVKL03ACeNVBkJOkyrnhNtjD+W23Mp8YX
78cAnRgNFEfsewQgPl9WaAO3fQ9btzym
=dPsK
-----END PGP SIGNATURE-----
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to