Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FreeRadius - Mac addresses treated as Users

    Scheduled Pinned Locked Moved
    pfSense Packages
    2
    3
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      markds
      last edited by

      Hi,

      I am using the FreeRadius package to provide authentication for WPA2 Enterprise SSID and also on a WPA2 Personal SSID to dynamically assign vlans based on mac addresses. The WPA2 Personal SSID is to provide connectivity for devices that do not support WPA2 Enterprise (with a reduced access).

      However, I notice when logging into the WPA2 Enterprise SSID, I can authenticate using valid mac address as the username and password, which obviously is a major security concern.

      Is there a way to limit the inclusion of a file (ie users / macs) based on the NAS connection? The thought was to configure the APs (UniFi) to use different Radius NAS credentials for the different use cases and hopefully avoid the problem.

      Many thanks.

      NogBadTheBadN 1 Reply Last reply Reply Quote 0
      • NogBadTheBadN
        NogBadTheBad @markds
        last edited by NogBadTheBad

        @markds There is an option for a check item but the NAS identifier will be the same won't it ?

        I use the following that only allows andy-iphone to connect via IPsec VPN.

        "andy-iphone" Cleartext-Password := "xxxxxxx", Simultaneous-Use := "1", Expiration := "Apr 11 2027", NAS-Identifier == strongSwan 

	Framed-IP-Address = 172.16.8.1,
	Framed-IP-Netmask = 255.255.255.0,
	Framed-Route = "0.0.0.0/0 172.16.8.1 1"

        Have a play and run radsniff -x from the console.

        Andy

        1 x Netgate SG-4860 - 3 x Linksys LGS308P - 1 x Aruba InstantOn AP22

        M 1 Reply Last reply Reply Quote 2
        • NogBadTheBadN NogBadTheBad referenced this topic on
        • M
          markds @NogBadTheBad
          last edited by

          Thats perfect... Will give it a try tonight. Thanks @NogBadTheBad

          1 Reply Last reply Reply Quote 0
          • First post
            Last post