FreeRadius and Basic Clients

  • Hello all,

    In my last setup i was using pfsense as a freeradius server and my openwrt wireless access point devices successfully handles the authentication problem.
    But the problem is that there are several devices like wireless printers, ps3 and so on, can not join this type of wireless network.

    Is it possible to define mac of these types of devices to solve this problem ?
    I couldn't solve it.

    If its possible to define something like "mac pass list", those types of dummy devices can join my network.
    Right now some of them even not listing my wpa 2 enterprise network …

  • I use no encryption and use  –Static DHCP-- addressing only known MAC addresses. I think this is what your needing to research. Each interface on your box has its own DHCP server settings via a tab at top of screen with -LAN/WAN/OPT or other interfaces if so assigned.

  • Thank you for replies.
    My main intention is to keep security high but allow several passthrough accounts. I thought adding devices to freeradius configuration will allow them to connect evenif it's not capable of connecting to a wpa2 enterprise network …

  • LAYER 8 Netgate

    I don't think you understand that if you add some sort of pass through based on MAC addresses, those MAC addresses are always being broadcast in-the-clear so all someone would have to do is sniff them then tell their wireless card to use that MAC and they're on your network.  No security at all.

    If you have a WPA2 Enterprise network and your devices don't support WPA2 Enterprise, they will be unable to join.

    Your choices are to run two wi-fi networks, with segregation, or run two wi-fi networks into the same LAN.  But if you're going to do that, you might as well just forget about running WPA2 Enterprise and just run simple WPA2.

    If you have WEP-only devices or devices that will only connect to open networks, throw them away.

  • You are undoubtedly correct.
    But when you say always broadcast in the clear, wouldn't the DHCP OFFER stage be the only time the MAC address would be broadcast? I was thinking most packets only have the IP info.
    I guess they could crash your wifi network causing machines to renegotiate leases and sniff them easily then, Also on lease renewal. I live in a cozy  cul-de-sac and have no such worries.. What are good sniffers these days. I wanna test it out. I see nutstumbler is still around…

  • So i fired up netstumbler and first thing i see is my pfwifi access point with its MAC address. I didn't see any clients MAC's but from what i read i need to fire up a Linux/DragonflyBSD and run Wireshark in monitor mode.. When is the client wifi MAC address exposed? Is it broadcasted all the time or just on DHCP lease procedure? So Does it depend on the client O/S used or is it a radio thing used by all for networking-addressing?
    Thanks for sharing.
    Sincerely Frank

  • LAYER 8 Netgate

    All the time.  MACs are always in-the-clear - even with WPA2 Enterprise/AES/Whatever.  You just need a wireless adapter in promiscuous mode and wireshark and they're all there.

    All IP (layer 3 packets) are encapsulated in ethernet/wireless (layer 2) frames all the time.  You have to process the frame to get the IP address.

  • So using WEP password 1234 would be safer!!! Just kidding. I had to chuckle at your "throw all WEP gear away"' and was thinking what kind of advice is that!! I guess i need to keep my advice contained to items i know about….
    Thanks for sharing.

  • WEP was deprecated already in 2004. The 10 years following that should really have been enough time to convert to WPA2 and phase all non-upgradeable wireless gear out, even for a very busy network administrator. ;)

  • LAYER 8 Netgate

    You'd be surprised.

Log in to reply