pbanicev
commented
4 months ago Where is watcher solution for MAC Authentication Bypass explained, is there any standard covering it?
Open ccie57654 opened 5 months ago
pbanicev
commented
4 months ago Where is watcher solution for MAC Authentication Bypass explained, is there any standard covering it?
ccie57654
commented
4 months ago Typically the NAS will formulate the authentication request on behalf of the device that does not support 802.1x EAP, for wired the typical implementation leverages RSTP Learning state in order to glean the MAC address, once the MAC address is learned on the port by monitoring the forwarding table an authentication request can be formed using the MAC address as the username and password.
There are silent hosts that do not send any traffic unless they receive a broadcast or other form of traffic first, in this case the problem is the same, however instead of leveraging the learning state, an L2 ACL would need to be used in order to filter all inbound traffic from going beyond the port but allow outbound traffic towards the host in order to "wake it up"
Overview The hostapd package included with Dent works in the sense that you can start the service and provide a configuration, however what is missing from the public hostapd package is the Port Access Entity (PAE) component.
Use Case When a device is attached via ethernet to a port, there should exist the capability to configure said port to only accept EAPoL frames or additional types defined in an ACL, and forward the frames to the RADIUS Server, or create a RADIUS Access Request message based on the source mac for MAB purposes.
Operation
Testing Leveraging FreeRADIUS or similar to validate that a port can be moved from an unauthorized state (dropping all frames except those specified) to an authorized state with the received tunnel ID