Chapter Contents
About MAC Address Authentication
Elektron includes the ability to authenticate devices based on their MAC address. This can be used a standalone means of authentication — that is, the device’s MAC address is the only thing that is verified before network access is granted. MAC address authentication may also be used in conjunction with standard user authentication, so that both the user and the device that user is connecting from are authenticated.
MAC address authentication by itself provides only weak authentication. This is due to the fact that many devices have configurable MAC addresses. If an attacker knows the MAC address of any legitimate device that is allowed access to your network, that attacker can configure their own device with that MAC address and gain entry to you network. We recommend that MAC address authentication be used in conjunction with user authentication.
How MAC Address Authentication Works
MAC address authentication is nothing more than a specially formatted authentication using the standard the RADIUS protocols PAP and CHAP. As in any RADIUS request, the server is validating a username and password. In the case of MAC address authentication, the username is the MAC address, and the password is either the MAC address repeated or the network access point’s shared secret. Elektron takes care of these different password formats as well as varying MAC address formats (e.g., “123456-123456” vs. “12:34:56:12:34:56”) automatically.
Configuring MAC Address Authentication
Creating MAC Addresses
MAC address authentication must be enabled on a per-access point basis. To enable MAC address authentication for a given access point, double click its entry in the Access Points pane in the Elektron Settings application, and check the “Enable MAC Address Authentication” option.
Enabling MAC address authentication for each access point is a requirement to avoid creating security holes for other access points that use PAP or CHAP for regular user authentication. As mentioned above, the password use in MAC address authentication is the MAC address itself. If MAC address authentication is enabled for an access point that uses PAP or CHAP for user authentication, an attacker would only need a valid MAC address in order to log in as a user. Elektron disables basic RADIUS protocols like PAP and CHAP for any access point on which MAC address authentication is enabled. The rules are:
MAC Address Authentication Disabled This is the default value for any newly created access point. For these access points, and PAP or CHAP request will be treated as a user login, and will be routed based on the authentication domains table to be handled by a backend authenticator like Active Directory or using Elektron accounts.
MAC Address Authentication Enabled For these access points, any PAP or CHAP request will be validated against the MAC address table, and will be allowed if there is a matching entry in the table.
To manage your MAC address list, use the MAC Addresses panel in the Elektron Settings application. You can create a new MAC address by clicking the add button, delete MAC address by selecting it in the list and hitting the “Delete” key, and edit a MAC address by double clicking its entry in the list.
The configuration options available for any MAC address are:
MAC Address You may enter the address in any legal format such as “123456-123456” or “12:34:56:12:34:56”, however Elektron always stores addresses in the latter format. As explained above, Elektron will also accept authentication requests in any legal format.
Friendly Name You may optionally enter a hint as to what device this MAC address belongs, such as “Alice’s Laptop”
MAC Address is Disabled To temporarily disable a MAC address without needing to delete its entry, check this option.
Group Membership Elektron allows authorization policies to be triggered by membership in an MAC address group. You can configure group membership with this list. To manage MAC address groups, use the MAC Address Groups pane in Elektron Settings.
Importing MAC Addresses
You can import a list of MAC addresses using a text file in either tab-delimited or comma-separated value (CSV) format. Each line in the text file represents a single MAC address, with each line formatted as:
MAC Address<tab or comma>Friendly Name
For instance, to add the MAC address “11:22:33:44:55:66” with a friendly name of “Alice's Laptop”, the entry in the text file (in CSV format) would look like:
11:22:33:44:55:66,Alice's Laptop
The MAC address is required, while the friendly name is optional. You may enter the MAC address in any legal format, including:
11:22:33:44:55:66
112233-445566
112233445566