Mac Filtering - Is It Happening And If So Why?

[billyblaxsta]

Hello,

I have a legitimate connection to the eduroam network (www.eduroam.org). This networks allows students throughout the world to connect to the eduroam network. Eduroam is WPA2 Enterprise and so I need a username, password, and certificate. My University uses Protected EAP and MSCHAPv2.

The first time I connected I used my external card (wlan1). Everything worked.

Here are the relevant logs from syslog:

Apr 26 21:39:20 myname wpa_supplicant[736]: CTRL-EVENT-EAP-STARTED EAP authentication started

Apr 26 21:39:20 myname NetworkManager: <info> (wlan1): supplicant connection state: associating -> associated

Apr 26 21:39:20 myname wpa_supplicant[736]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected

Apr 26 21:39:21 myname wpa_supplicant[736]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)

Apr 26 21:39:22 myname wpa_supplicant[736]: EAP-MSCHAPV2: Authentication succeeded

Apr 26 21:39:22 myname wpa_supplicant[736]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed

Apr 26 21:39:22 myname wpa_supplicant[736]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

Apr 26 21:39:22 myname NetworkManager: <info> (wlan1): supplicant connection state: associated -> 4-way handshake

I then disconnected and spoofed my MAC on wlan1. Then I tried to connect again. It failed.

Logs:

Apr 26 21:37:04 myname wpa_supplicant[736]: CTRL-EVENT-EAP-STARTED EAP authentication started

Apr 26 21:37:04 myname NetworkManager: <info> (wlan1): supplicant connection state: associating -> associated

Apr 26 21:37:04 myname wpa_supplicant[736]: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected

Apr 26 21:37:05 myname wpa_supplicant[736]: OpenSSL: tls_connection_handshake - Failed to read possible Application Data error:00000000:lib(0):func(0):reason(0)

Apr 26 21:37:05 myname wpa_supplicant[736]: EAP-MSCHAPV2: Authentication succeeded

Apr 26 21:37:05 myname wpa_supplicant[736]: EAP-TLV: TLV Result - Success - EAP-TLV/Phase2 Completed

Apr 26 21:37:05 myname wpa_supplicant[736]: CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully

Apr 26 21:37:05 myname NetworkManager: <info> (wlan1): supplicant connection state: associated -> 4-way handshake

Apr 26 21:37:06 myname kernel: [ 320.448925] wlan1: deauthenticated from 00:27:09:2d:88:13 (Reason: 23)

Apr 26 21:37:06 myname wpa_supplicant[736]: CTRL-EVENT-DISCONNECTED - Disconnect event - remove keys

Apr 26 21:37:06 myname NetworkManager: <info> (wlan1): supplicant connection state: 4-way handshake -> disconnected

Apr 26 21:37:06 myname NetworkManager: <info> (wlan1): supplicant connection state: disconnected -> scanning

I then looked up "Reason 23" here: http://etutorials.org/Networking/Wireless+lan+security/Chapter+4.+WLAN+Fundamentals/Basic+Choreography/ which told me it meant that IEEE 802.1X authentication failed.

So I looked up IEEE 802.1X authentication failed and found this https://secure.wikimedia.org/wikipedia/en/wiki/IEEE_802.1X. If you scroll down to "Federations" you will see that eduroam is mentioned as an example of one of the networks that uses 802.1X authentication.

I also tried with my wlan0 card and also could not connect. The last positive message was CTRL-EVENT-EAP-STARTED EAP. Then deauthentication.

The only reason I can see that I could not access the network with my username and password is when I connected for the

first time my MAC was logged and now only that MAC can access the network.

The eduroam website has a detailed guide but MAC filtering is not mentioned. In fact, I cannot find anything that confirms my problem is the result of MAC filtering.

Would someone like to confirm or challenge my assumption.

I don't really understand why MAC filtering is considered sensible. A student cannot connect to eduroam if he changes his laptop, uses a friends laptop, or wants to use his Blackberry or iPhone to connect.

Thanks.

[Mr-Protocol]

Ask the help desk or network admin.

[digip]

The implementation they have is also probably using MACsec in its EAPOL settings, which means that your original MAC address is already registered as the default device for that login you are using. I would advise you to tread lightly while using your normal mac, since for security purposes, they are tracking data at layer 2, and not by IP alone. In other words, they know your device by its physical mac address.

http://standards.ieee.org/cgi-bin/status?Designation:%20802.1AE

Edited June 5, 2011 by digip

[Infiltrator]

The only way you could spoof your MAC address, is using a MAC address that is already known to the Wireless System. For example, you could pose as another trusted wireless client, but this would be illegal and against the network usage policy.

If you would like to use a different MAC address the only way to overcome that is contacting your helpdesk, but that could raise some suspicion in your IT department, so play it cool.