[mmalone]

> For the use case cited -- blocking MAC spoofing, EAP-TLS doesn't quite solve it

The idea would be to rely on the client certificate authentication and not use MAC filtering at all. For example, you could have an EAP-TLS network that's unrestricted and not let Mallory on it. Or you could use RADIUS reply attributes to put Mallory on a restricted vlan.

[kccqzy]

Why not just set up multiple SSIDs then? The devices connected to different SSIDs belong to different VLANs. Then you don't have to consider MAC spoofing or even deploy EAP-TLS: just give different devices a different password.

I'm sure there are simpler ways to deal with the use case in mind, but I think this article just wants to have fun with NSA-grade WiFi.

[spr-alex]

Right, although the article did not mention how to stop the spoofing. I started this thread to raise awareness and point out that the details around RADIUS can really matter here when not using a secure AP because some of the security assumptions about radius clients do lead to hilarious security failure