The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

[Per Mejdal Rasmussen <pmr AT its.aau.dk>]

Hi, thank you for your reply.


On 2019-04-02 09:11, Stefan Winter wrote:
> Using MAC addresses for access restrictions is a thing of the past. IEEE
> and Wi-Fi Alliance push on MAC address randomisation, and if a user has
> a sufficiently new device, it may very well be that you'll see a new MAC
> address every single time they authenticate. Which makes your
> authorisation system defunct.

I am only aware that devices randomize MAC-addresses when probing for 
networks to join.

I will read more about that in the sources at:
https://en.wikipedia.org/wiki/MAC_spoofing#MAC_Address_Randomization_in_WiFi


> Also, even if this were not an issue: an attacker with a rogue network
> that steals the username and password now also has to take note of the
> MAC address of the device, and set that MAC address for his future
> exploitation of the credentials. That is hardly a significant hurdle.

The MAC address lock serves two purposes: Preventing users from sharing 
the credentials, and making it harder, but not impossible to use stolen 
credentials. Which only gives access to eduroam. If the mac lock gives 
too many problem, it can be removed.


> For small user populations, we offer the product "eduroam Managed IdP"
> which works with per-device client credentials. It is not intended to be
> used for large user bases such as "thousands of students" though. If you
> want to try this out, please get in touch with your eduroam National
> Roaming Operator in Denmark (Danish e-Infrastructure Cooperation - DeiC).

Why is it only for "small user populations"?


--
Per Mejdal Rasmussen
http://personprofil.aau.dk/109070