Home > cisco > EAP packets generated for plain MAC-based authentication

EAP packets generated for plain MAC-based authentication

January 2Hits:3

I wanted to implement trivial MAC-based authentication on some Cisco SG300 (small-business) switches. The client doesn't ask for auth but I simply want the client's MAC address to be authenticated, like for a printer.

Those switches can do both 802.1x as well as MAC-based auth. However their definition/implementation of the latter seems interesting. Read ahead.

First, in the case of MAC-based auth, as usual the switch assumes the role of the supplicant. However these ones still send EAP packets inside the RADIUS request, instead of a plain RADIUS request, to the authentication/RADIUS server. The manual gives this hint:

MAC-based authentication is an alternative to 802.1X authentication that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC-based authentication uses the MAC address of the connecting device to grant or deny network access.

In this case, the switch supports EAP MD5 functionality with the username and password equal to the client MAC address

Now all the other gear we have doesn't do that when you want to use plain MAC-based auth. Even Cisco themselves don't do that on their IOS devices (where the feature is called "MAC-auth bypass").

Second, these switches (SG series) can do dynamic VLAN assignment, meaning you return a certain RADIUS attribute with a VLAN embedded in it, and then the switch will apply that VLAN on the port if possible.

Now in this case, this attribute is silently ignored, if it is not nicely provided in an EAP "envelope". This is where it all comes together and breaks our current setup (or it needs to be modified.)

I could of course try to configure the RADIUS server (here freeradius) to handle both situations (EAP as well as plain RADIUS), but what I mainly want to know from someone who has already gone through all this is: Is a "MAC authentication" that still generates EAP packets a valid approach?

Now what I would want to do is: Nail Cisco's support and tell them that either the device should do

  • EAP when 802.1x is requested
  • plain RADUIS when MAC-auth is requested (and not some kind of EAP nevertheless)

However I would need some strong rationale for that :)

I know this isn't some "I've tried this and that and how do I finally get it to work" question but rather the type "Why is it working like that? Is it correct of them to implement it this way? If yes, why; if no, why not?" (Maybe you have some RFC or the like in mind.) Hope that's ok.


what I mainly want to know from someone who has already gone through all this is: Is a "MAC authentication" that still generates EAP packets a valid approach?

Here's a freeradius-users thread which answers most of these questions.

The crux is:

  • Using EAP for MAC auth makes no real sense.
  • But it isn't bad either if it's at least correctly implemented.
  • Users on the freeradius list didn't think Cisco's SG series implements 802.1x EAP MAB correctly, since the EAP Service-Type is missing. As Nick Lowe mentioned, if the EAP Service-Type is missing, it becomes awkward, hackish and potentially unreliable to discriminate between the type of service being used by a client.

Related Articles

  • EAP packets generated for plain MAC-based authenticationJanuary 2

    I wanted to implement trivial MAC-based authentication on some Cisco SG300 (small-business) switches. The client doesn't ask for auth but I simply want the client's MAC address to be authenticated, like for a printer. Those switches can do both 802.1

  • Why is MAC-based authentication insecure?August 7

    Most wireless routers can use MAC-based authentication as part of their overall security scheme. It seems like a good idea, but I've heard that it is very ineffective, because it's easy to spoof MAC addresses. I believe that it's easy to spoof these

  • Token-based authentication - Securing the tokenSeptember 3

    I have developed a backend REST API for a mobile app and I am now looking to implement token-based authentication for it to avoid having to prompt the user to login on every run of the app. What I had in mind was on the initial request the user sends

  • Is Postgres password-based authentication secure?August 22

    According to Postgres's documentation, Postgres's password authentication method uses MD5 hashing to secure the password: The password-based authentication methods are md5 and password. These methods operate similarly except for the way that the pass

  • What's the meaning of the term "ad-hoc MAC" (Message Authentication Code)?

    What's the meaning of the term "ad-hoc MAC" (Message Authentication Code)?May 7

    In SSL literature, I've noticed the use of the term "ad-hoc MAC". I understand the meaning of MAC (Message Authentication Code) and how it works, but what does the term Ad-hoc MAC mean? Note: With MAC, I mean Message Authentication Code (as used

  • Use salt as identifier for crypted session id in database based authentication system for webappOctober 17

    I have written a database-based authentication framework for webapps I am planning to program in the future. The framework is implemented by using the plpgsql-language of a PostgreSQL-Database and therefore the extension pgcrypto is used to encrypt s

  • OpenSSH on Windows - enabling key-based authenticationNovember 18

    I'm attempting to set up key-based authentication on an OpenSSH server running on Windows. Unfortunately, the server doesn't seem to be accepting the key I am providing, but I can't see any specfic error message or reason for the error. Here's the st

  • Setting up key based authentication for rootSeptember 2

    I connect to one linux machine with a standard user account and use sudo when it is necessary to perform something a little above my users station. One of those things would be to perform a pull using git (sudo git pull). I want to set up key based a

  • certificate based authenticationNovember 9

    Are there any benefits for certificate based authentication over the other types of authenitication? When it is common to use it? If the certs are stolen everyone that have them cat authenticate to the system. Is this true? Regards --------------Solu

  • Certificate based authentication vs Username and Password authenticationMay 6

    What are the advantages and drawbacks of the certificate based authentication over username and password authentication? I know some, but I would appreciate a structured and detailed answer. UPDATE I am interested as well in knowing what attacks are

  • how to generate a random MAC address from the Linux command lineAugust 10

    How do I generate a random MAC address from the Linux command line? I search for a solution that only requires standard tools commonly found on the Linux command line. The MAC address will be used for a guest KVM. --------------Solutions-------------

  • How do I access SharePoint web services behind a Windows-based-authentication or ISA server?May 21

    I want to access sharepoint webservices behind a windows based authentication/ ISA server so that I can getallitems of a list. I been looking for a tutorial to do this or come up with my own logic but no success. However I found this tutorial which d

  • SSH key based authentication working intermittentlyApril 8

    We have a dev server running jenkins with various jobs that run shell scripts that connect to our live server via SSH (using key-based authentication). This doesn't seem to work reliably. If I test the SSH connection on its own by logging in to the d

  • Configuring SP2013 Foundation with Forms-Based Authentication (OpenLDAP)April 23

    I am having difficulty setting up Sharepoint Foundation 2013 to use forms-based authentication with an external LDAP provider. I have followed the instructions here: http://technet.microsoft.com/en-us/library/ee806890.aspx After editing the central a

  • Integrate LDAP with group based authentication in New gitlab 5.1.0April 24

    We currently installed gitlab 5.1.0 and is working fine. Also we are able to integrate Gitlab with LDAP with the following configuration: [email protected]:/home# vi /home/git/gitlab/config/gitlab.yml ldap: enabled: true host: '' base: ' ou=Peo

  • IP packet generate manually? August 15

    I have heard that we can create ip-packets by our own and send it to a network or a host. How this Can Be Done ?Please Explain step by step?? --------------Solutions------------- PCap library can be used not only to sniff packets, but also to constru

  • Is it possible to use a GPG or SSH key for web based authentication in a secure fashion?October 17

    Let's say hypothetically I am writing a web application targeting technically inclined, security-conscious users who have no problems generating and using GPG or SSH keys. Is it possible to use said keys to authenticate with a web application in a se

  • Token based authentication under httpDecember 3

    I am doing a token based authentication but facing some security problems. In the system, a user will login as follows: Type username and password to login in a https login page If the login is succeeded, the server will be set a 'authentication cook

  • How to use SFTP on a system that requires sudo for root access & ssh key based authentication?January 26

    I want to be able to use SFTP to edit files that require root permissions. I'm using SSH Key based authentication - rsa key on smart card. If the system requires sudo to perform root level commands, How do I get around this? Can I create a way of byp

  • Active Directory - Certificate Based Authentication - Multiple certificates for userApril 4

    First, I have very limited knowledge about AD. Problem: I authenticating users on AD using user certificates. I want to authenticate user on various devices (including mobile devices). Each will generate its own certificate via a CA. The CA is tied u

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.475 s.