On 21/12/2009 09:15, Alan Buxey wrote: > Hi, > > >>> yep - but a user could just as easily log in with the user-name of >>> 00:11:22:33:44:55 ;-) >>> >>> >> Not when you say !EAP-Message too :) >> > ...and how does that stop, lets just say for example, some user coming > along with 802.1X configured on their wired interface and logging it > with 00:11:22:33:44:55 as their user-name with EAP-MD5 ? ;-) > Last time I checked EAP-MD5-Response was still carried in the EAP-Message attribute, and the documentation in the wiki suggests that the username and Calling-Station-ID are canonicalized and compared before attempting Mac-Auth, so you need to fake the mac-address in your EAPOL frames too. >> Although it does nothing about the legacy guff, it stops new guff >> connecting. >> > thats true in so much that it controls those things...but lets more evil > people on due to it being a nice new hole. oh well. > > Well no. You need to know the Mac-Address of a target machine before you can connect to the network/VLAN. In order to find out the Mac-Address you need to physically locate yourself at a terminal, if you can physically locate yourself at a terminal, you generally have access to the network connection of the terminal anyway.
The only thing it lets you do which you could do before, is to do your cracking in a cafe instead of in a cluster room :). The real danger is someone gaining access to the uplink from one your switches... which is why 802.1X-REV/Mac-Sec is so frickin awesome! -Arran
signature.asc
Description: OpenPGP digital signature
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
