RADIUS auth by Mac address

[ron.peterson at yellowbank.com (ron.peterson at yellowbank.com)]

On Wed, Oct 08, 2003 at 01:56:50AM +0000, dsr at tao.merseine.nu wrote:
> On Tue, Oct 07, 2003 at 09:09:46PM -0400, ron.peterson at yellowbank.com wrote:
> > On Tue, Oct 07, 2003 at 05:16:31PM -0400, josephc at etards.net wrote:
> > 
> > > Does anyone have any experience or docs in setting up a RADIUS server to 
> > > authenticate a host by it's MAC address?
> > 
> > Yes.  I've included a portion of the users file for cistron radius.
> > This configuration supports MAC based authentication for Lucent wireless
> > access points.  Maybe others, but that's what I've tested.  (Or is it
> > Orinoco?  Or Agere?  Or Proxim?  Or Higgedly Piggedly?  I forget.)
> 
> So, I'm wondering why you would do this. I regard access points as
> insecure pieces of infrastructure, subject to frequent failure and
> replacement. Since all encryption has to be done through to the client
> anyway, why do [easily spoofable] [unnecessary] auth of the hardware
> itself?
> 
> (One answer just occurred to me. Are you doing a single-sign-on for
> admin rights to the boxes? But it would be better to maintain a single
> logon for the box and only manage through scripts or SNMP...)

It's not Fort Knox security, but it can prevent casual
(intentional/inadvertant) use of public access points by non-campus
people.  We know everyone's mac address because we have a netreg-like
setup.

-- 
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ---- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.blu.org/pipermail/discuss/attachments/20031007/ff7421b6/attachment.sig>