Re: 1200 WAP- MAC address authentication without RADIUS server

srokusek · ‎06-18-2004

We have a relatively small wireless network (about 40 1200 WAP's). Right now, our wireless is open, no restriction at all. Our goal is to allow access to the wireless for only authorized users instead of just anyone who wanders within range. We don't have a need for the security levels of LEAP or PEAP, and we don't want to require everyone to buy a new wireless card if they don't currently have a Cisco card. Can we combine WEP with MAC access lists? If so, can we do that without a RADIUS server? From the documentation that I have been reading, a RADIUS server is used for much higher levels of security than what we will be implementing.

Maybe there is another solution that is better for us that I am just not identifying. Any help/suggestions would be greatly appreciated!

Thanks-

Sonia

gamccall · ‎06-18-2004

Yes, you can use static WEP and/or MAC filtering without needing a AAA server. Be aware that it's trivial to spoof a MAC address, and that it's possible to break static WEP relatively quickly depending on your volume of wireless traffic. The two together should keep out bored kids, but will not protect you from a determined attack.

ctripp · ‎06-18-2004

Hi Sonia,

If you are running IOS access points and 12.2(15)JA, you can setup one Access Point to function as a local radius server that does mac authentication.

One centralized entry point for your Mac addresses instead of entering them on every one.

Regards,

Charlie

srokusek · ‎06-20-2004

Yes we are running 12.2(15)JA. I am very interested in this. Would this limit us to approximately 50 users? If so, this wouldn't work. If it doesn't limit us, this would work great!