top | item 38874436

(no title)

mmalone | 2 years ago

> For the use case cited -- blocking MAC spoofing, EAP-TLS doesn't quite solve it

The idea would be to rely on the client certificate authentication and not use MAC filtering at all. For example, you could have an EAP-TLS network that's unrestricted and not let Mallory on it. Or you could use RADIUS reply attributes to put Mallory on a restricted vlan.

discuss

kccqzy|2 years ago

Why not just set up multiple SSIDs then? The devices connected to different SSIDs belong to different VLANs. Then you don't have to consider MAC spoofing or even deploy EAP-TLS: just give different devices a different password.

I'm sure there are simpler ways to deal with the use case in mind, but I think this article just wants to have fun with NSA-grade WiFi.

spr-alex|2 years ago

Right, although the article did not mention how to stop the spoofing. I started this thread to raise awareness and point out that the details around RADIUS can really matter here when not using a secure AP because some of the security assumptions about radius clients do lead to hilarious security failure