PEAP with MAC authentication

I am getting ready to deploy some access points and I am using MS PEAP with ACS and Active Directory. I was thinking about using MAC authentication as well but I noticed something. In order to get MAC authentication to work you have to put the MAC address in ACS as a user using the mac address as both the username and password. When I connect to my access point it prompts me to enter a username and password, you normally would enter your Active Directory account here but I noticed that if you just enter your MAC Address as the username and password you can get onto the network. Isnt this a security hole? An attacker could basically "sniff" the air for MAC addressess since these are not encrypted. He could then easily spoof his mac address and also use the MAC address as the username and password to gain access. Is there a way to avoid this?

Hi,
You could consider using Network Access Restrictions which is a form of MAC filtering and will prevent you from having to add the MAC addresses of users to your ACS database.
This basically binds a clients MAC address to an access point, so if a user tries to log in from a different MAC address using their normal account it will be denied by ACS so you are effectively binding users to MAC addresses from allowed Access Points.
The MAC address could probably still be sniffed however this would not be enough to allow a login to the network.
It's configured on a per user basis
If you edit a user, scroll down to the
"Define CLI/DNIS-based access restrictions" and tick the box
Select the AP to which you will permit the client MAC from in the "AAA Client" drop down
enter "*" for the port
and enter the MAC address in the Address field
I can't quite remeber the format of the mac address but i think it need to be in HHHH.HHHHH.HHHH
There's a white paper on it here:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
HTH
Paddy

Similar Messages

  • WPA PSK doesn't work with MAC Authentication. AP1231G

    Hi, yesterday I've installed an Aironet Access Point 1200 series AP1231G for the first time.
    I'd like to use MAC Authentication with an WPA Pre-Shared Key. But it doesn't work. If I choose "Open Authentication with MAC Authentication", I can't type an WPA Pre-Shared Key. The system doesn't keep it.
    It only works with "Open Authentication" without MAC-Filter.
    Settings:
    Encryption Manager: TKIP
    SSID Manager
    1. Client Authentication: Open Authentication with MAC Authentication
    2. Key Managemnet: Mandatory WPA + WPA Pre-Shared-Key
    If I type in a Pre-Shared-Key and click on "Apply", the Pre-Shared-Key get loss.

    Tina,
    In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d09.html#wp1034916

  • WPA 2 with Mac authentication

    Hi all,
    I am faced with a dilemma. I have implemented a wireless network throughout our main building using wpa2 leap authenticating against Active directory. Now Security Engineer is griping that mac authentication be used in addition. The only reason I did not choose this option because I believe that the mac is transmitted with an initial packet and can be spoofed anyway not to mention the overhead of tracking all macs. Does anyone have any input on this issue that would help the argument of supporting or not supporting the authentication methods I just spoke of any help is greatly appreciated!

    Well, if your security engineer is so dead set on adding MAC address to the authentication process even though he knows that MAC address can be spoofed(it's biggest vulnerability) - good luck with changing his mind.
    I had experience with MAC authentication at the enterprise level. I used it along with WEP. Obviously there is no AD or RADIUS in place. Entire list of MAC addresses is kept on all APs to facilitate enterprise-wide roaming. Well, having a list of 300 MACs on the AP makes the authentication process painfully slow. I don't know how many clients you have and what kind of RADIUS server you are using. The impact will be different in your case.
    Apart from slow authentication process because of gigantic list of MACs, it is very hard to keep up with all MACs because of new laptops and upgraded client adapters, etc. If the users make a fuss, your Security Engineer may change his mind.
    HTH

  • EAP with MAC Authentication

    Quick question on EAP with MAC auth....
    Documentation shows that if you enable EAP with MAC, clients that do not support EAP authentication, will then be able to use MAC. Is it possible to enforce that clients use both EAP and MAC? I don't want to create a security hole by allowing clients to skip the EAP and only use MAC.
    Here is the text from http://www.cisco.com that supports above. Is this true, or am I just being paranoid?
    You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication

    I have this exact same question on a 1242 AP running c1240-k9w7-mx.123-8.JA2
    I was told that it is possible on this version of IOS to select the with EAP or MAC Authentication, but I have had no success in doing so.
    On a windows XP SP2 clients with the WPS-IE update installed, I disabled encryption and have open authentication selected. Nonetheless, the client continues to ask for credentials to connect to the network (I also deleted the registry Keys that store these 802.1x credentials.
    Does anyone have an answer that we can use?

  • Can't send in Apple Mail with .Mac - authentication problem

    I use Entourage on my laptop for my business account and Apple Mail on my laptop for my .mac account. Sometimes when I travel and am using hotel and Tmobile wireless hotspots, I have to turn off password authentication for my SMTP server in order to send mail. This works like a champ in Entourage, but when I try to turn off password authentication in Mail for my .Mac account, it automatically still tries to authenticate! This results in me not being able to send .Mac mail. I tested this in Entorage on my .Mac account, turned off authentication for smtp.mac.com and it works, so this is definitely an Apple Mail problem specific to .Mac. Has anyone else experienced this? Is there a fix? I have tried to create a new smtp.mac.com account in Apple mail that does not authenticate, but somehow it changes into an smtp account with password authentication. Help.

    I've been sending ".doc" files from both Mail and Entourage for some time without a problem.
    Having said that, is there a chance that your Internet Service Provider is somehow blocking some file types?
    I've recently come across a cpouple of European internet providers who do block executables and key file types that are known to cause problems or that might contain viruses/trojans.

  • WPA2-PSK with open MAC authentication

    Can anyone help me with the configuration of Autonomous ap with WPA2-PSK with mac authentication..?
    I tried configuring and created 700 ACL. But its not working

    once i enable mac authentication "wpa-psk ascii 7 06020C234D1F5B4A511416" dissappears. :(
    Model: AIR-SAP1602E-N-K9
    IOS: ap1g2-k9w7-mx.152-2.JB2/ap1g2-k9w7-mx.152-2.JB2
    Getting Error: WPA-PSK not supported with MAC address authentication configured

  • Cisco aironet 1040: create wireless with wpa2 and mac authentication

    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks
    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks

    ap#show configuration
    Using 2085 out of 32768 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid Svez
       authentication open mac-address mac_methods
       authentication key-management wpa version 2
    username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
    username 00907a0f2a55 autocommand exit
    username administrator privilege 15 password 7 033449040A0620425A0D15564F42
    username 0025d3db778b password 7 055B565D74481D0D1B52404A09
    username 0025d3db778b autocommand exit
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    ssid Svez
    antenna gain 0
    station-role root
    world-mode legacy
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    no ip route-cache
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    end
    ap#

  • MAC Authentication on autonomous APs

    Hi!
    Has anyone here tried MAC authentication using Aironet 1200 series? If so, can you please tell me how to do it? Because I've been trying to make it work and it just won't work. Thanks!
    Regards

    Hi,
    Are you talking about radius mac-authentication ?
    The steps to configure MAC authentication on the ACS server and AP :
    [1] GO to Server Manager
    In the Corporate Servers -->Current Server List
    -- Select the Radius Server in the drop down.
    -- Specify the Server IP address in the Server: field
    -- Specify the Shared Secret in the Shared Secret: field
    -- Set the Authentication Port (optional): 1645 and the Accounting Port (optional): 1646
    - click on Apply
    -- In the Default Server Priorities aand under MAC Authentication
    -- In the drop down Priority 1: select the IP address of the ACS server and click on Apply
    [2] Goto SSid MAnager
    -- Select the ssid, In case a new SSID needs to be created create a new ssid.
    -- In Authentication Settings --> Methods Accepted: --> check on Open Authentication:
    --> Select with Mac Authentication from the drop down menu.
    - Click on the Apply all button to save this setting
    [3] Goto Advanced Security
    -- In the MAC Address Authentication -->MAC Addresses Authenticated by:
    -- Select Authentication Server Only and click on Apply
    On the ACS server Create Users with user names and password set to the MAC address of the
    clients. These user names/passwords should NOT have any spaces or dots in between them..
    Regards,
    ~JG

  • WLC+LAP+ACS4.0 achieving 802.1x PEAP and MAC address authentication ?

    How to configure WLC + LAP + ACS4.0, achieving username and password authentication and MAC address at the same time

    This might help with the PEAP:
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00807917aa.shtml
    MAC Authentication
    Add a MAC Address to ACS
    Complete these steps:
    1. From the ACS main menu, click on the User Setup button.
    2. In the User text box, enter the MAC address to add to the user database.
    Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
    3. On the User Setup screen, enter the MAC address in the Secure-PAP password text box.
    Note: The MAC address must be exactly as it is sent by the AP for both the username and the password. If authentication fails, check the failed attempts log to see how the MAC is being reported by the AP. Do not cut and paste the MAC address, as this can introduce phantom characters.
    4. Check the Separate (CHAP/MS-CHAP) box.
    5. Enter a password for CHAP/MS-CHAP (this password should be different from the MAC address).
    6. Click Submit.

  • PEAP-MSCHAPv2 & MAC-AUTH with WEP on same AP

    Hi,
    is it possible to have PEAP-MSCHAPv2 authentication and MAC Authentication against Central Cisco ACS, on the same Access Point on different SSID's without conflicting with each other?
    Thanks
    Jorge

    The answer would depend upon the configuration done on the AP..
    a) if you have configured vlans on your AP then you can set SSID , map it to each vlan and accordingly configure encryption to each vlan
    b) if there are no vlan then too the two ssid would work but you then you have to have the same encryption on both the ssid.

  • Intel Mac OS X can't connect using 802.1x with TTLS authentication

    To login at the wireless network on my school I use the following settings:
    802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
    My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
    On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
    Bug in the Intel version of Mac OS X I guess?

    Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
    What I cant understand is why they have changed the
    airport express card for the intel macs, albeit the
    processor has changed but that shouldn't affect the
    card as that should be processor
    The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
    In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
    Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

  • 802.1x peap mschap v2 with MAC Filter + IP Address Permanent

    Hi my name is Ivan, i have an issue
    I have one cisco wlc 5508 with  ios 7.4.100 with a ssid is working with 802.1x peap mschap v2 with mac filter, and I need configure in the web page of the WLC Security > Mac Filter, a MAC and one IP Address permanent to the users.
    I have a service dhcp into the wlc to this profile.
    This configuration works fine for 3 or 4 days. At the  fifth day , my users renew the ip address, and they can not surfing to internet, because in my firewall i have a policy to the users with exactly ip address, for example.
    MAC Filter - IP Address A - UserA
    My policy say:
    PolicyUserA - Internet
    Please, i can establish an filter mac associate to one ip address permanent to one user, when service dhcp in the cisco wlc is active?
    I possible to do it?.
    How can i do it?

    Hi Ivan,
    You can not map the mac-ip address pairs on the WLC DHCP.
    The WLC has a limited DHCP server functionalities. You better to use an external DHCP server with full functionalities and then you can configure the DHCP server to provide the same IP address everytime to each client in your network.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • 802.1x authentication with mac address

    Hi guys,
    there is a strange requirement from one of our customer,
    they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
    for username, password and domain.
    is it possible??
    can i avoid popping up the username password with 802.1x and that too with mac address???
    Any help would be greatly appreciated
    Thanks
    Jvalin

    Hi,
    The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
    A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
    For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
    Regards,
    Kush

  • Domain authentication with mac address restrictions

    I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
    WLAN1 with SSID1: for company computers and laptops
    WLAN2 with SSID2: for ipads and tablets
    WLAN3 with SSID3:  for guests
    I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.

    You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
    Policy 1:
    Wireless user on this SSID WLAN1
    AD on this AD Group (Machine)
    Policy 2:
    Wireless user on this SSID WLAN 2
    AD on this AD Group (USer)
    Thanks,
    Scott
    *****Help out other by using the rating system and marking answered questions as "Answered"*****

  • ACS Server MAC Authentication with Windows Database

    Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

    Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
    http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

Maybe you are looking for

  • Multiple Source Structure in single flatfile using lsmw idoc method

    Hi Abapers,             we have a requirement for Business partner Data mIgration into CRM system using LSMW idoc method,I got a flat file which has multiple source structures like(header structure,Tax structure,Mailstructure,Identification structure

  • Could not post WS with XML Spy to XI

    Im traying to post a Web service with XML Spy to XI. this outbound WS was generated by XI. i think a service is freeze so XML Spy cant post WS, because other receiver WS are post with out any problem. what can i do?? RGDS RP Message was edited by:   

  • How does one name an Archive Log file in ARC%S_%R.%T format

    Hallo!I have been trying to enable Archive Log mode for the Oracle 10g database. In OEM,I went via the links Maintenance->Recovery Settings->Media Recovery There,a text box by the name Log Archive Filename Format requires one to name the Archive Log

  • Direct Selection or Hand Tool will not Move object with mouse! Frustrated!

    Since this recent update, I haven't been to use my mouse to move an image, text, etc. I'm running CC2014 on my Mac, not running Yosemite. I've tried already: Clicking some key sequence when opening Indesign so it will clear preferences - did not work

  • Can't get all the music from my library onto my iPod anymore

    I got a touch and it would sync normally with my iTunes library. i got the 2.0 update recently and when i try to sync it, it says syncing then backing up and all of the music is gone from my iPod but it's all still in my library. I would reset the wh