Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Wireless AP MAC Authenticaction on Switch

Posted on 2013-06-03
5
Medium Priority
?
611 Views
Last Modified: 2013-12-09
I am configuring a wireless/wired network and want to make sure it is a secure as possible. To that effect we are implementing EAP-TLS with machine authentication to ensure only domain machines are on the network (no systems from home.)

My question is: Should I try to implement MAC authentication for the access points connected to my switch? I am referring to the actual access points being authenticated by MAC address on the network not the users connecting to them (those would auth with EAP-TLS.)

I have read a few articles from MS technet on implementing the MAC authentication and tried a few setups without success and wanted to determine if it was worth the effort to track down the issues or just force the port on the switch to auth (using multiple session so each machine on a port has to auth to gain access to network.) From the articles it looked like we would have to use PAP for the MAC auth which almost seems to defeat the purpose of authing at all since it is plain text right?

My variables are:
Windows Server 2008 R2 Standard running NPS, CA, AD
Cisco SG500 set to 802.1x auth and MAC as needed
Unifi AP Pro

Thanks!
0
Comment
Question by:ND_2007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 20

Accepted Solution

by:
rauenpc earned 600 total points
ID: 39217470
Just force the port to the auth state. MAC authentication is no more secure than putting a "do not enter sign" on your front door. It's much too easy nowadays to download a MAC spoofing application and take over the MAC of a device that is automatically authenticated.

When it comes to the best wireless security, two things are the most important in my opinion:
The first is the obvious one - encryption and authentication. WPA2-Enterprise with AES and TLS are definitely the best so you are on the right track.
The second isn't quite as obvious - rogue AP mitigation. Your wireless is only as secure as the weakest wireless AP available on your network. 802.1x is great until a Linksys router appears on the network or an unsecured AP bridge. Being able to automatically detect and lock down rogues is key to true wireless security.
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39218777
Thanks for the feedback. Do you have any recommendations on a tool for rogue detection and isolation?

Thanks,
Keith
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39244647
I have confirmed forcing the port is the recommended way with a Cisco support tech while I was investigating another issue. Thanks for the input.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39244675
Sorry about my lack of response on your last question. There are multiple tools you can use, but if you are running a Cisco system you would be looking at the MSE combined with your controllers/NCS. This would give you the ability to classify rogues, locate, and mitigate. Other vendors have similar solutions.
0
 
LVL 1

Author Comment

by:ND_2007
ID: 39244773
Thanks I will look into those.
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question