1

Is it possible to keep a connection alive, while spoofing/changing the MAC address of your own network adapter (especially wlan adapter), without needing to re-authenticate against 802.1X RADIUS-server with eap-tls?

I need this to secure a network, not to break into one.

HalloDu
  • 121
  • 1
  • 9

2 Answers2

2

I dont think so; 802.1x is based off of source learning so when the MAC changes it will re-learn the new MAC on the ingress interface and attempt to authenticate it as though there were two machines connected through a passive switch. The only way I see this working would be if both MACs are in your authorization tables for your .1x data source AND the user was authorized in both realms (if two realms are in play here).

Nick Zepp
  • 229
  • 2
  • 3
0

I highly doubt this aswell..

The authentication is based on the mac address.. Thats why you can perform man-in-the-middle and replay attacks..

Using another mac address fails for these attacks.. due to the fact that its not authenticated..

How do you plan to secure this, even if it was a possibility??

im very curious.. :D

Arenstar
  • 3,592
  • 2
  • 24
  • 34
  • The ending sentence was merely a disclaimer to not be treated as a hacker - bad experiences in the past. I just want to establish that an mac-address is consistent with the certificate. – HalloDu Nov 17 '10 at 20:09
  • ahh right... :D Secure it by trying to hack it.. thats what i would do.. – Arenstar Nov 17 '10 at 20:11
  • yes, that's what I wanted to try next time I am on the scene. But it cannot hurt to get some opinions on the matter beforehand and that is easier if nobody thinks you are the bad guy – HalloDu Nov 17 '10 at 20:13