Using ACS to authenticate via MAC addresses

raularias · ‎11-14-2004

Has anyone set up a wireless network with two SSIDs to work the following way: The first SSID is for employees only. The second is for guests. All APs authenticate MAC addresses from an ACS. The AP assign the proper VLAN for each type of user. The employees have full access, and guest have Internet only access. How does one prevent a guest from accessing the "private" network? Lets say a guest figures out what the "employee only" SSID is, and changes his SSID. This would give him access to the "private" network. Where would I configure(the AP or ACS) the restrictions so as if you are not in the list of employee mac-addresses, then you will not authenticate with the employee only SSID? Any help will be greatly appreciated.

cguedes · ‎11-14-2004

If a guest figures out what the "employee only" SSID is, no problem. He needs to know and uses in his NIC an correct MAC addresses you have registered. Besides that, he needs login on your network. A strong authentication method like PEAP can be used

so that employees have a certificate and guest hasn't.

Prevent a guest from accessing the private network is a network issue. The private VLAN is routed to your network and the guest VLAN isn't.

Carlos

dixho · ‎11-16-2004

I do not suggest MAC authentication because it takes a hacker 10 seconds to figure out MAC authentication. If you insist on MAC authentication, you can do the followings:

1. Go to the GUI, click on "SECURITY" and "SSID Manager"

2. Select the SSID and choose "Open" "With MAC"

3. Click on "Advanced Security". You can choose "Local List Only" or "Authentication Server Only"

4. If you choose "Local List Only", you can define the MAC address in the "Advanced Security" Window. The limitation is 50 MAC addresses.

If you insist to use MAC authentication, I suggest you to use static WEP. At least, you encrypt data; so that hackers do not pick up data over the wireless media. Of course, I suggest you to implement one of the 802.1x types.