Yes, EAP-TLS, EAP-TTLS and PEAPv0/EAP-MSCHAPv2 are the common three EAP methods deployed, with TEAP becoming more popular.
Great care should be taken when using a legacy method like PEAPv0 with user credentials. Ensure the device is under management and the user cannot modify the supplicant configuration (same with EAP-TTLS/PAP or EAP-TTLS/MSCHAPv2). Ideally these devices should just use what the rest of your students, faculty and staff are using. tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> on behalf of Nadim El-Khoury <[email protected]> Sent: Friday, August 28, 2020 10:35 To: [email protected] <[email protected]> Subject: Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius Hi Tim, Thank you for the information and advice. Maybe use EAP-TLS or PEAP with EAP-TLS as the inner authentication method. Do you think that would work? Has anyone done that with Freeradius and eduroam? Best, Nadim On Fri, Aug 28, 2020 at 9:57 AM Tim Cappalli <[email protected]<mailto:[email protected]>> wrote: eduroam is an 802.1X network. You need to use an EAP-based authentication method. MAC address can only be used as authorization context (but really shouldn't be). Tim ________________________________ From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Nadim El-Khoury <[email protected]<mailto:[email protected]>> Sent: Friday, August 28, 2020 9:52:08 AM To: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] MAC authentication bypass on Freeradius Hi Norman, Let me better explain what we trying to do. We used to have an open hidden SSID using a WEP key to connect loaner laptops (Windows, Macs), iPads, and Chromebooks. We upgraded our wireless network to MIST and we decided to only advertise eduroam. We want to connect the above devices to eduroam using Mac address authentication, and it is not working. Best, Nadim On Thu, Aug 27, 2020 at 9:38 PM Norman Elton <[email protected]<mailto:[email protected]>> wrote: Do you mean authenticate non-802.1x clients based on MAC address? Yes. It works fine. We have an Open Access SSID, with "MAC address authentication by RADIUS lookup". We provide our RADIUS server IP & secret. Our FreeRADIUS server takes the request and responds with an Accept/Reject, and the following attributes: Tunnel-Type = "GRE" Tunnel-Medium-Type = "IP" Tunnel-Private-Group-ID = <vlan-id> I don't remember any specific challenges, but if you can post what's not working, I'm happy to help. And/or jump on a call and compare experience with Mist. Norman On Thu, Aug 27, 2020 at 4:14 PM Nadim El-Khoury <[email protected]<mailto:[email protected]>> wrote: > > Hi Everyone, > > Has anyone been able to get MAC authentication bypass to work properly with > FreeRadius and MIST Wireless? > > Best, > > Nadim > > ********** > Replies to EDUCAUSE Community Group emails are sent to the entire community > list. If you want to reply only to the person who sent the message, copy and > paste their email address and forward the email reply. Additional > participation and subscription information can be found at > https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf91dcafd78c2405c684708d84b5fb775%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637342221762326655&sdata=mq1H8E2Amsn5z9dMJ73oF%2BOf7vkhElvkqWRwnEhW7YM%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf91dcafd78c2405c684708d84b5fb775%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637342221762336640&sdata=3DtoqRGRwWWQ6Thqj%2BCWgF28C7rw7zuR7Vu35fLYeXI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf91dcafd78c2405c684708d84b5fb775%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637342221762336640&sdata=3DtoqRGRwWWQ6Thqj%2BCWgF28C7rw7zuR7Vu35fLYeXI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf91dcafd78c2405c684708d84b5fb775%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637342221762336640&sdata=3DtoqRGRwWWQ6Thqj%2BCWgF28C7rw7zuR7Vu35fLYeXI%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Ctim.cappalli%40MICROSOFT.COM%7Cf91dcafd78c2405c684708d84b5fb775%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637342221762346641&sdata=gkN8tllWv9AzpNiZJ6L2cvTYysrkwPtZdO22iIxb7nA%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
