Re: PEAP with MAC authentication

tmbenne001 · ‎12-06-2004

I am getting ready to deploy some access points and I am using MS PEAP with ACS and Active Directory. I was thinking about using MAC authentication as well but I noticed something. In order to get MAC authentication to work you have to put the MAC address in ACS as a user using the mac address as both the username and password. When I connect to my access point it prompts me to enter a username and password, you normally would enter your Active Directory account here but I noticed that if you just enter your MAC Address as the username and password you can get onto the network. Isnt this a security hole? An attacker could basically "sniff" the air for MAC addressess since these are not encrypted. He could then easily spoof his mac address and also use the MAC address as the username and password to gain access. Is there a way to avoid this?

paddyxdoyle · ‎12-07-2004

Hi,

You could consider using Network Access Restrictions which is a form of MAC filtering and will prevent you from having to add the MAC addresses of users to your ACS database.

This basically binds a clients MAC address to an access point, so if a user tries to log in from a different MAC address using their normal account it will be denied by ACS so you are effectively binding users to MAC addresses from allowed Access Points.

The MAC address could probably still be sniffed however this would not be enough to allow a login to the network.

It's configured on a per user basis

If you edit a user, scroll down to the

"Define CLI/DNIS-based access restrictions" and tick the box

Select the AP to which you will permit the client MAC from in the "AAA Client" drop down

enter "*" for the port

and enter the MAC address in the Address field

I can't quite remeber the format of the mac address but i think it need to be in HHHH.HHHHH.HHHH

There's a white paper on it here:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml

HTH

Paddy

tmbenne001 · ‎12-07-2004

Wouldnt that be binding a user to the MAC address of the access point instead of the MAC address of the user's laptop? I think I am just going to perform PEAP without MAC authentication. I thought using the MAC authentication would add a little more security but it actually seems to make it more susceptible to attack. Thanks for the reply.

dixho · ‎12-07-2004

In my opinion, the administrative overhead to maintain MAC authentication outweight the benefits of MAC authentication. If a hacker can break PEAP, he/she can easily hack MAC authentication. PEAP authentication is encrypted and the MAC address of the client adapter is not encrypted.

You need to maintain the MAC address when there is a new wireless client adapater or when you retire a laptop.

rsumpter · ‎12-08-2004

I have successfully used MAC with PEAP authentication. Use the MAC address for both the username and “PAP” password. Check “Separate (CHAP/MS-CHAP/ARAP)” password and enter a long (10+ characters) random password and forget it. You do not need to remember this password. This long password with the MAC address can be used to authenticate the PEAP session, so make sure it’s long, random and nobody knows what it is.

One nice thing about using MAC with some other authentication (LEAP, PEAP, FAST) is that it provides one more layer someone needs to go through. Even though it’s very easy to spoof, the “average” user will move onto another AP.

Rob