12-06-2004 12:59 PM - edited 07-04-2021 10:14 AM
I am getting ready to deploy some access points and I am using MS PEAP with ACS and Active Directory. I was thinking about using MAC authentication as well but I noticed something. In order to get MAC authentication to work you have to put the MAC address in ACS as a user using the mac address as both the username and password. When I connect to my access point it prompts me to enter a username and password, you normally would enter your Active Directory account here but I noticed that if you just enter your MAC Address as the username and password you can get onto the network. Isnt this a security hole? An attacker could basically "sniff" the air for MAC addressess since these are not encrypted. He could then easily spoof his mac address and also use the MAC address as the username and password to gain access. Is there a way to avoid this?
12-07-2004 03:32 AM
Hi,
You could consider using Network Access Restrictions which is a form of MAC filtering and will prevent you from having to add the MAC addresses of users to your ACS database.
This basically binds a clients MAC address to an access point, so if a user tries to log in from a different MAC address using their normal account it will be denied by ACS so you are effectively binding users to MAC addresses from allowed Access Points.
The MAC address could probably still be sniffed however this would not be enough to allow a login to the network.
It's configured on a per user basis
If you edit a user, scroll down to the
"Define CLI/DNIS-based access restrictions" and tick the box
Select the AP to which you will permit the client MAC from in the "AAA Client" drop down
enter "*" for the port
and enter the MAC address in the Address field
I can't quite remeber the format of the mac address but i think it need to be in HHHH.HHHHH.HHHH
There's a white paper on it here:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
HTH
Paddy
12-07-2004 07:07 AM
Wouldnt that be binding a user to the MAC address of the access point instead of the MAC address of the user's laptop? I think I am just going to perform PEAP without MAC authentication. I thought using the MAC authentication would add a little more security but it actually seems to make it more susceptible to attack. Thanks for the reply.
12-07-2004 11:13 AM
In my opinion, the administrative overhead to maintain MAC authentication outweight the benefits of MAC authentication. If a hacker can break PEAP, he/she can easily hack MAC authentication. PEAP authentication is encrypted and the MAC address of the client adapter is not encrypted.
You need to maintain the MAC address when there is a new wireless client adapater or when you retire a laptop.
12-08-2004 10:51 AM
I have successfully used MAC with PEAP authentication. Use the MAC address for both the username and PAP password. Check Separate (CHAP/MS-CHAP/ARAP) password and enter a long (10+ characters) random password and forget it. You do not need to remember this password. This long password with the MAC address can be used to authenticate the PEAP session, so make sure its long, random and nobody knows what it is.
One nice thing about using MAC with some other authentication (LEAP, PEAP, FAST) is that it provides one more layer someone needs to go through. Even though its very easy to spoof, the average user will move onto another AP.
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide