One time login based on MAC-auth

  • 1
  • Idea
  • Updated 4 years ago
How cool would it to be able to "remember" user based on their MAC address and allow access to the netwerk while presenting unknown user a CWP.

My guess: use MAC-based auth and always have a radius server reply with accept-accept however if the MAC address is unknow send a VSA to force the Hive AP to display a CWP. Then after client authenticates through the CWP register it's MAC address and next time it connect it's known :)

This would be a great BYOD solution for schools and public area.

Steven
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes

Posted 5 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Personally, I would avoid using MAC addresses like the plague. You would be authenticating a device with such a system, not the user.

Remember that users can change devices or have multiples. They're also not a secure identifier and are easily spoofed.

Use 802.1X and an EAP type like PEAP with EAP-MS-CHAPv2 to get a user's identity rather than a device's.

Alternatively, issue a PPSK per user via a registration system.
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes
Hi Nick,

You are right about security concerns, however since this is just for public internet it's not a big deal. The CWP being displayed might be a use policy acceptance for example.

I've demoed the PPSK+registration to IT managers and even they where having trouble understanding this system.

The key is to get the best user experience for free public access.

Steven
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Sure, in the case that it's free public access, security concerns do not exist in the same way.

However, you did suggest use in a school setting where I don't feel it would be so appropriate.

Regards,

Nick
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes
Anyone from Aerohive a comment on this matter?

Steven
Photo of Sarah Banks

Sarah Banks

  • 75 Posts
  • 4 Reply Likes
Hi Stephen,
MAC-based authentication is indeed something we're looking into. I'm wondering how many MAC addresses you're expecting to be remembered?

Thanks
Sarah
Photo of steven

steven

  • 32 Posts
  • 2 Reply Likes
Hi Sarah

Thanks for the reply.

The number of MAC addresses is infinitive? I'm planning on doing MAC-auth on a radius back-end, which works now, but what I want is for unknown device have the user register through a CWP.

Steven
Photo of Sarah Banks

Sarah Banks

  • 75 Posts
  • 4 Reply Likes
Hi Steven, thanks for your response and feedback. I appreciate the extra detail.
Photo of Edwin Amoo

Edwin Amoo

  • 3 Posts
  • 0 Reply Likes
Hi I just need to configure Mac authentication on HiveManager Express 6.1 but not sure how to ....Help