topic Re: Using mac-adresses for authentication in Wireless

Using mac-adresses for authentication

Nevyn Bergstrom — Sun, 04 Jul 2021 05:38:25 GMT

How do we configure our controllers/radius-servers to use MAC-addresses instead of authenticate against a certain group in the AD? We would, if possible, like to combine these two ways of authentication in on SSID.

We're running 7.0.116.0 on our controllers (5500-series) and our radius-servers are one W2k8 and one W2k3.

Using mac-adresses for authentication

Amjad Abdullah — Mon, 10 Sep 2012 09:49:44 GMT

Nevyn:

Yes you can combain both security methods.

What you need to do is to configure the WLAN to use mac authentication (it is only checkbox under security Layer 2 tab) and also to configure the allowed mac addresses on the radius server.

Here is a doc: http://tiny.cc/2pyekw (the link sends you directly to the radius config but you can read the whole doc).

in your situation, just mark the checkbox of mac filtering on the SSID and add the allowed macs to the radius. keep hte WPA2+802.1x config the same. This way you will use both security methods.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Using mac-adresses for authentication

Nevyn Bergstrom — Mon, 10 Sep 2012 10:12:26 GMT

You don't happen to know how to do it in a microsoft environment?

Using mac-adresses for authentication

Amjad Abdullah — Mon, 10 Sep 2012 10:19:57 GMT

With microsoft radius it is the same. You need to add users to the radius server; the username and the password both should be the mac address.

Rating useful replies is more useful than saying "Thank you"

Using mac-adresses for authentication

George Stefanick — Tue, 11 Sep 2012 04:56:59 GMT

Nevyn,

How many devices are you doing mac filters for, Im just curiuos.

Using mac-adresses for authentication

Nevyn Bergstrom — Tue, 11 Sep 2012 06:23:31 GMT

As a start, about 20 but unfortionatly it is probably going to grow as we deploy .1x on the wired network aswell as the wireless. In the end? Who knows... Maybe 50, maybe 100, maybe more...

Re: Using mac-adresses for authentication

Scott Fella — Tue, 11 Sep 2012 07:45:57 GMT

Here is my opinion....There is no need to deloy mac authentication if your going to do 802.1x. I never tell my customers todo this and if they do think they need it, well in the end they don't. Mac authentication isn't a security method in my book and it's a management nightmare.

Sent from Cisco Technical Support iPhone App

Re: Using mac-adresses for authentication

Nevyn Bergstrom — Tue, 11 Sep 2012 08:08:11 GMT

Unfortunately we've got a bunch of devises where it's not possible to use 802.1x. I'm working at a hospital and there are medical equipment which needs to be connected to the network but where it isn't an alternative to use our regular type of authentication. When we start deploying 802.1x on the wired network we won't have the alternative (as we do today) of saying that if a device can't handle 802.1x, WPA2 and 5GHz we won't let it onto our network. We need to find a solution...

Re: Using mac-adresses for authentication

Scott Fella — Tue, 11 Sep 2012 08:38:31 GMT

That doesn't really solve a security solution. In many of my hospital installations, there are more than 100+ devices that don't support 802.1x. So if you have to settle with PSK or even WEP on some devices, these can't be referenced by radius so now you have to enter the Mac address in each wlc you have. If that's what you need to do to satisfy a requirement then that is what you will have to do. The main issue is that PSK, WEP and Mac authentication doesn't pass audits if you ever have to get a network audit. Just giving my opinion from my experience.

Sent from Cisco Technical Support iPhone App

Re: Using mac-adresses for authentication

George Stefanick — Tue, 11 Sep 2012 16:26:40 GMT

I work for a large hsp system as well. PSK will past some audits, it all depends how you manage the key. For exmaple, we use wavelink to push keys to our cisco phones, no one knows the key only me, phones and the wlc.

I would get away from MAC before it gets to big.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

Re: Using mac-adresses for authentication

Nevyn Bergstrom — Wed, 12 Sep 2012 05:51:02 GMT

On wireless we might manage to avoid MAC-authentication altogether. The possible exception is about 20 devices which can handle our network as it is today but where all the default policies on our domain causes a lot of extra work.

On the wired network we haven't got any protection what so ever today. We have now started the process of separating out critical equipment and try telling a CT-scanner (I work at a hospital) that it's got to use certificates 😉 The plan for all regular computers is to use the same (though slightly modified) policy as we're using for wireless today but that leaves all the "weird" medical devices which don't have antivirus, can't handle certificates and generally don't do security... In the end the medical equipment will end up on one set of vlans and the regular computers on another with a firewall regulating access.

Since we're starting with the wireless I asked here 🙂