When running RADIUS via WPA2 Enterprise and 802.1x, clients wishing to access the network must provide valid credentials. However, this does not stop malicious clients forging valid clients MAC addresses, to gain access to MAC-authenticated services running on the network. Does the RADIUS protocol prevent this occurring, so that a client with a particular MAC is guaranteed to have that unique MAC on the network while they remain connected?
Asked
Active
Viewed 1,729 times
1 Answers
1
..this does not stop malicious clients forging valid clients MAC addresses..
No, it doesn't, and it's not intended to. The purpose of RADIUS is to authenticate valid users/services, RADIUS runs in the Application Layer. MAC Whitelisting is effectively bypassing this, and yes, creating a loophole that will allow someone to access those resources. It would be best to turn off MAC Authentication altogether if you're worried about this.
Also, nothing 'guarantees' that a node will have a unique MAC or IP while they're on the network. Yes, by design all nodes are given a unique IP from the factory, and if you're using a DHCP server it 'shouldn't' give out an already leased address, but packets can be crafted by people in black hooded sweaters wearing Guy Fawkes masks to make the packet look like it came from a certain mac or IP.
That's not to say your network can't be configured to spot a single MAC address coming in on multiple ports, but that is partly beyond my expertise and may be beyond the scope of this question.
MDMoore313
- 5,581
- 6
- 36
- 75
-
Could you offer an alternative to MAC-based authentication then? The service needs to know the RADIUS user associated with any traffic coming from a particular device. – Robin McCorkell Jun 11 '14 at 14:06
-
Not really, you can use user name and password authentication, or certificate based authentication with RADIUS. – MDMoore313 Jun 11 '14 at 14:12