ND_2007
asked on
Wireless AP MAC Authenticaction on Switch
I am configuring a wireless/wired network and want to make sure it is a secure as possible. To that effect we are implementing EAP-TLS with machine authentication to ensure only domain machines are on the network (no systems from home.)
My question is: Should I try to implement MAC authentication for the access points connected to my switch? I am referring to the actual access points being authenticated by MAC address on the network not the users connecting to them (those would auth with EAP-TLS.)
I have read a few articles from MS technet on implementing the MAC authentication and tried a few setups without success and wanted to determine if it was worth the effort to track down the issues or just force the port on the switch to auth (using multiple session so each machine on a port has to auth to gain access to network.) From the articles it looked like we would have to use PAP for the MAC auth which almost seems to defeat the purpose of authing at all since it is plain text right?
My variables are:
Windows Server 2008 R2 Standard running NPS, CA, AD
Cisco SG500 set to 802.1x auth and MAC as needed
Unifi AP Pro
Thanks!
My question is: Should I try to implement MAC authentication for the access points connected to my switch? I am referring to the actual access points being authenticated by MAC address on the network not the users connecting to them (those would auth with EAP-TLS.)
I have read a few articles from MS technet on implementing the MAC authentication and tried a few setups without success and wanted to determine if it was worth the effort to track down the issues or just force the port on the switch to auth (using multiple session so each machine on a port has to auth to gain access to network.) From the articles it looked like we would have to use PAP for the MAC auth which almost seems to defeat the purpose of authing at all since it is plain text right?
My variables are:
Windows Server 2008 R2 Standard running NPS, CA, AD
Cisco SG500 set to 802.1x auth and MAC as needed
Unifi AP Pro
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have confirmed forcing the port is the recommended way with a Cisco support tech while I was investigating another issue. Thanks for the input.
Sorry about my lack of response on your last question. There are multiple tools you can use, but if you are running a Cisco system you would be looking at the MSE combined with your controllers/NCS. This would give you the ability to classify rogues, locate, and mitigate. Other vendors have similar solutions.
ASKER
Thanks I will look into those.
ASKER
Thanks,
Keith