WPA 2 with Mac authentication

Hi all,
I am faced with a dilemma. I have implemented a wireless network throughout our main building using wpa2 leap authenticating against Active directory. Now Security Engineer is griping that mac authentication be used in addition. The only reason I did not choose this option because I believe that the mac is transmitted with an initial packet and can be spoofed anyway not to mention the overhead of tracking all macs. Does anyone have any input on this issue that would help the argument of supporting or not supporting the authentication methods I just spoke of any help is greatly appreciated!

Well, if your security engineer is so dead set on adding MAC address to the authentication process even though he knows that MAC address can be spoofed(it's biggest vulnerability) - good luck with changing his mind.
I had experience with MAC authentication at the enterprise level. I used it along with WEP. Obviously there is no AD or RADIUS in place. Entire list of MAC addresses is kept on all APs to facilitate enterprise-wide roaming. Well, having a list of 300 MACs on the AP makes the authentication process painfully slow. I don't know how many clients you have and what kind of RADIUS server you are using. The impact will be different in your case.
Apart from slow authentication process because of gigantic list of MACs, it is very hard to keep up with all MACs because of new laptops and upgraded client adapters, etc. If the users make a fuss, your Security Engineer may change his mind.
HTH

Similar Messages

WPA PSK doesn't work with MAC Authentication. AP1231G

Hi, yesterday I've installed an Aironet Access Point 1200 series AP1231G for the first time.
I'd like to use MAC Authentication with an WPA Pre-Shared Key. But it doesn't work. If I choose "Open Authentication with MAC Authentication", I can't type an WPA Pre-Shared Key. The system doesn't keep it.
It only works with "Open Authentication" without MAC-Filter.
Settings:
Encryption Manager: TKIP
SSID Manager
1. Client Authentication: Open Authentication with MAC Authentication
2. Key Managemnet: Mandatory WPA + WPA Pre-Shared-Key
If I type in a Pre-Shared-Key and click on "Apply", the Pre-Shared-Key get loss.

Tina,
In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00804e7d09.html#wp1034916

1130 WPA-PSK Radius Mac Authentication

I am trying to get our Cisco 1130 AP's to use Radius MAC Authentication using a freeradius server. We have been successful with other AP's (Proxim, Netgear) but haven't been able to get the Cisco 1130 to work.
I have attached 2 files. One is the running config, and the other is a debug of radius.
This is what the freeradius log says.
Thu Nov 6 02:48:46 2008 : Auth: Login OK: [004096a3e012/004096a3e012] (from client 10.80.0.17 port 291 cli 00-40-96-A3-E0-12)
I would appreciate any help that anyone is willing to give.

Use the wpa-psk SSID interface configuration command to configure a pre-shared key for use in WPA authenticated key management. To support WPA on a wireless LAN where 802.1x-based authentication is not available, you must configure a pre-shared key for the SSID.
wpa-psk { hex | ascii } [ 0 | 7 ] encryption-key
but make sure that This command is not supported on bridges.

EAP with MAC Authentication

Quick question on EAP with MAC auth....
Documentation shows that if you enable EAP with MAC, clients that do not support EAP authentication, will then be able to use MAC. Is it possible to enforce that clients use both EAP and MAC? I don't want to create a security hole by allowing clients to skip the EAP and only use MAC.
Here is the text from http://www.cisco.com that supports above. Is this true, or am I just being paranoid?
You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication

I have this exact same question on a 1242 AP running c1240-k9w7-mx.123-8.JA2
I was told that it is possible on this version of IOS to select the with EAP or MAC Authentication, but I have had no success in doing so.
On a windows XP SP2 clients with the WPS-IE update installed, I disabled encryption and have open authentication selected. Nonetheless, the client continues to ask for credentials to connect to the network (I also deleted the registry Keys that store these 802.1x credentials.
Does anyone have an answer that we can use?

PEAP with MAC authentication

I am getting ready to deploy some access points and I am using MS PEAP with ACS and Active Directory. I was thinking about using MAC authentication as well but I noticed something. In order to get MAC authentication to work you have to put the MAC address in ACS as a user using the mac address as both the username and password. When I connect to my access point it prompts me to enter a username and password, you normally would enter your Active Directory account here but I noticed that if you just enter your MAC Address as the username and password you can get onto the network. Isnt this a security hole? An attacker could basically "sniff" the air for MAC addressess since these are not encrypted. He could then easily spoof his mac address and also use the MAC address as the username and password to gain access. Is there a way to avoid this?

Hi,
You could consider using Network Access Restrictions which is a form of MAC filtering and will prevent you from having to add the MAC addresses of users to your ACS database.
This basically binds a clients MAC address to an access point, so if a user tries to log in from a different MAC address using their normal account it will be denied by ACS so you are effectively binding users to MAC addresses from allowed Access Points.
The MAC address could probably still be sniffed however this would not be enough to allow a login to the network.
It's configured on a per user basis
If you edit a user, scroll down to the
"Define CLI/DNIS-based access restrictions" and tick the box
Select the AP to which you will permit the client MAC from in the "AAA Client" drop down
enter "*" for the port
and enter the MAC address in the Address field
I can't quite remeber the format of the mac address but i think it need to be in HHHH.HHHHH.HHHH
There's a white paper on it here:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
HTH
Paddy

Can't send in Apple Mail with .Mac - authentication problem

I use Entourage on my laptop for my business account and Apple Mail on my laptop for my .mac account. Sometimes when I travel and am using hotel and Tmobile wireless hotspots, I have to turn off password authentication for my SMTP server in order to send mail. This works like a champ in Entourage, but when I try to turn off password authentication in Mail for my .Mac account, it automatically still tries to authenticate! This results in me not being able to send .Mac mail. I tested this in Entorage on my .Mac account, turned off authentication for smtp.mac.com and it works, so this is definitely an Apple Mail problem specific to .Mac. Has anyone else experienced this? Is there a fix? I have tried to create a new smtp.mac.com account in Apple mail that does not authenticate, but somehow it changes into an smtp account with password authentication. Help.

I've been sending ".doc" files from both Mail and Entourage for some time without a problem.
Having said that, is there a chance that your Internet Service Provider is somehow blocking some file types?
I've recently come across a cpouple of European internet providers who do block executables and key file types that are known to cause problems or that might contain viruses/trojans.

WPA2-PSK with open MAC authentication

Can anyone help me with the configuration of Autonomous ap with WPA2-PSK with mac authentication..?
I tried configuring and created 700 ACL. But its not working

once i enable mac authentication "wpa-psk ascii 7 06020C234D1F5B4A511416" dissappears. :(
Model: AIR-SAP1602E-N-K9
IOS: ap1g2-k9w7-mx.152-2.JB2/ap1g2-k9w7-mx.152-2.JB2
Getting Error: WPA-PSK not supported with MAC address authentication configured

Cisco aironet 1040: create wireless with wpa2 and mac authentication

Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks
Hi,
I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
Can anyone help me? thanks

ap#show configuration
Using 2085 out of 32768 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
aaa new-model
aaa group server radius rad_eap
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid Svez
authentication open mac-address mac_methods
authentication key-management wpa version 2
username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
username 00907a0f2a55 autocommand exit
username administrator privilege 15 password 7 033449040A0620425A0D15564F42
username 0025d3db778b password 7 055B565D74481D0D1B52404A09
username 0025d3db778b autocommand exit
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers tkip
ssid Svez
antenna gain 0
station-role root
world-mode legacy
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address dhcp client-id GigabitEthernet0
no ip route-cache
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap#

WPA2 and mac authentication

I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

Hi Jared,
you can do this by setup the following:
Webinterface:
1. Securtiy -> Server Manager
Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
2. Securtiy -> Advanced Securtiy
In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
IOS Interface from config mode:
aaa group server radius rad_mac
server 10.20.40.37 auth-port 1645 acct-port 1646
and
aaa authentication login mac_methods group rad_mac
or
aaa authentication login mac_methods group rad_mac local (for local fallback)
I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
Better use a setup with EAP-FAST or PEAP!
I hope that helps.
Best regards,
Frank
I hope that helps.

Configuring the Access Point 1602 IOS 15.2(2)JAX as a Local RADIUS for a MAC authenticator

Hello Everyone,
I have an issue with my Cisco 1602 WAP. I am trying to configure the WPA-PSK and MAC authentication on local RADIUS but I don't know why it doesn't work and client can bypass the MAC authentication. below is partial configuration:
dot11 ssid WLAN
vlan 20
authentication open
authentication key-management wpa version 2
mbssid guest-mode
wpa-psk ascii 7 XXX
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
encryption vlan 20 mode ciphers aes-ccm
ssid WLAN
antenna gain 0
stbc
beamform ofdm
mbssid
channel 2462
station-role root
interface Dot11Radio0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface BVI1
ip address 10.133.16.2 255.255.255.128
no ip route-cache
adius-server local
nas 10.133.16.2 key 7 10.133.16.2
group MAC
vlan 20
ssid WLAN
block count 3 time infinite
reauthentication time 1800
user 54724f80421c password 54724f80421c group MAC
Further information can be provided by request.
Cheers,
Parham

what are you trying to accomplish?
With the PSK you aren't telling the client it needs to do .1x auth for the Mac authentication.
If you are just trying to keep some clients off the wireless, I would take a look at doing a MAC ACL (ACL 700)
HTH,
Steve

MAC Authentication on autonomous APs

Hi!
Has anyone here tried MAC authentication using Aironet 1200 series? If so, can you please tell me how to do it? Because I've been trying to make it work and it just won't work. Thanks!
Regards

Hi,
Are you talking about radius mac-authentication ?
The steps to configure MAC authentication on the ACS server and AP :
[1] GO to Server Manager
In the Corporate Servers -->Current Server List
-- Select the Radius Server in the drop down.
-- Specify the Server IP address in the Server: field
-- Specify the Shared Secret in the Shared Secret: field
-- Set the Authentication Port (optional): 1645 and the Accounting Port (optional): 1646
- click on Apply
-- In the Default Server Priorities aand under MAC Authentication
-- In the drop down Priority 1: select the IP address of the ACS server and click on Apply
[2] Goto SSid MAnager
-- Select the ssid, In case a new SSID needs to be created create a new ssid.
-- In Authentication Settings --> Methods Accepted: --> check on Open Authentication:
--> Select with Mac Authentication from the drop down menu.
- Click on the Apply all button to save this setting
[3] Goto Advanced Security
-- In the MAC Address Authentication -->MAC Addresses Authenticated by:
-- Select Authentication Server Only and click on Apply
On the ACS server Create Users with user names and password set to the MAC address of the
clients. These user names/passwords should NOT have any spaces or dots in between them..
Regards,
~JG

Intel Mac OS X can't connect using 802.1x with TTLS authentication

To login at the wireless network on my school I use the following settings:
802.1x connection with TTLS authentication and TTLS inner authentication set to PAP.
My MacBook Pro logs in, but has a self assigned ip-address and I can't use the network.
On my old iBook and my friend's Powerbook with exact the same settings it works perfect. (and gets an assigned ip-address throug DHCP.
Bug in the Intel version of Mac OS X I guess?

Regarding the post about other intel macs being unaffected, I don't have an imac so I don't know for sure, but the connectivity problems seem to be more widely reported for the macbooks. It's certainly possible they are affected as well, but I was under the impression they were using a different chipset and/or firmware. (note to self, check on that).
What I cant understand is why they have changed the
airport express card for the intel macs, albeit the
processor has changed but that shouldn't affect the
card as that should be processor
The intel macs were largely designed by intel. I suspect that apple provided case dimensions and a specifications list which intel then used for the designs. The wireless cards in the powerbooks were based (iirc) on a pc-card bus. The older airports were based on PCMCIA-16.
In the macbooks, it appears to be a mini-PCI-express. (I had to send my back for noise issues. ASP might tell you what bus it connects to). The benefit to this is better speed and the possibility of future expansion. Dell uses the same connector.
Some side-benefits of having the board designed by intel (or with heavy intel involvement) is that we can already dual-boot windows XP. Wireless seems to work fine if you run windows on the macbook. Therefore, I think this is a driver issue likely to be resolved sooner rather than later.

802.1x authentication with mac address

Hi guys,
there is a strange requirement from one of our customer,
they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
for username, password and domain.
is it possible??
can i avoid popping up the username password with 802.1x and that too with mac address???
Any help would be greatly appreciated
Thanks
Jvalin

Hi,
The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
Regards,
Kush

Domain authentication with mac address restrictions

I am in a branch office and I have one WLC 5508 and one ACS 4.2 with three WLANs:
WLAN1 with SSID1: for company computers and laptops
WLAN2 with SSID2: for ipads and tablets
WLAN3 with SSID3: for guests
I am asked to configure WLAN2 as “WLAN2: Provides the Wi-Fi connectivity to ipads and tablets, with back end security using domain authentication with mac address restrictions.

You would need to create a seperate policy and be able to have a seperation between the two policies... It's kind of hard to explain, but you would have for example:
Policy 1:
Wireless user on this SSID WLAN1
AD on this AD Group (Machine)
Policy 2:
Wireless user on this SSID WLAN 2
AD on this AD Group (USer)
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

ACS Server MAC Authentication with Windows Database

Has anyone setup an ACS Server 3.2 for MAC authentication using Windows as the authentication. The documentation I found shows how to set it up using the CiscoSecure database. Any help would be appreciated.

Here is the link for setting up MAC authentication using CisoSecure database. There may not be a solution for my setup, but maybe I'll keep hacking away at it and find a resolution.
http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b3d27.shtml

WPA 2 with Mac authentication

Similar Messages

Maybe you are looking for