For example, you can assign a pre-authentication role that redirects a client to a portal for authentication to the RADIUS server. You can also configure RADIUS MAC authentication to assign roles to clients that fail MAC authentication (to restrict access or redirect the client), or you can assign roles both pre-authentication and post-authentication. You can use RADIUS MAC Authentication to allow only authorized devices to connect to your wireless network. That's not to say your network can't be configured to spot a single MAC address coming in on multiple ports, but that is partly beyond my expertise and may be beyond the scope of this question.When you enable secondary authorization on your network, a wireless user first authenticates on the wireless network, and then the device used to connect to the network is authenticated to determine whether it is an authorized device. Yes, by design all nodes are given a unique IP from the factory, and if you're using a DHCP server it 'shouldn't' give out an already leased address, but packets can be crafted by people in black hooded sweaters wearing Guy Fawkes masks to make the packet look like it came from a certain mac or IP. It would be best to turn off MAC Authentication altogether if you're worried about this.Īlso, nothing 'guarantees' that a node will have a unique MAC or IP while they're on the network. MAC Whitelisting is effectively bypassing this, and yes, creating a loophole that will allow someone to access those resources. The purpose of RADIUS is to authenticate valid users/services, RADIUS runs in the Application Layer. No, it doesn't, and it's not intended to. this does not stop malicious clients forging valid clients MAC addresses.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |