topic MAC Authentication in ExtremeControl

MAC Authentication

Chad5 — Fri, 05 Mar 2021 05:07:16 GMT

Hello,

Am looking into enabling NAC on our network and unfortunately, I have to use MAC AUTH for some end devices that don’t support 802.1X. OF course, using MAC AUTH is nothing but a deterrent as it’s very easy to spoof MACs…

However, I find when I enable MAC AUTH on XMC, the first question is what password to use. I am wondering what is the use of using a password or no password? My radius communication is protected by the shared key, in PAP (which EXOS does) anyways… it’s only between switch and NAC so what point is it to add a password? if someone uses a device with the same MAC, they get access to network anyways.

Any insight would be great 🙂

Thanks,

Re: MAC Authentication

Stefan_K_ — Fri, 05 Mar 2021 05:11:44 GMT

Does this help: XMC MAC Authentication Settings | Extreme Networks Support Community ?

“when the new MAC is seen on the port the switch does generate radius request to the radius server. The request does have username and password. The username is the mac address. The password is what you can define.”

Re: MAC Authentication

Miguel-Angel_RO — Fri, 05 Mar 2021 05:12:25 GMT

Hi Chad,

You have to look on both sides for this.

On XMC what is possible AND on your switch to see what password options are common to both devices.

You’ll use the one you prefer, usually people stick to the MAC address as password.

Here a screenshot from an ERS switch:

Mig

Re: MAC Authentication

Chad5 — Fri, 05 Mar 2021 22:18:17 GMT

Thank you for the replies.

I am familiar with the various options for MAC auth user/password. what I was eluding to is that having a password does not add to the security of MAC AUTH (if a key is chosen for example). It only adds a password between switch and radius server, where is already a shared key. It does not add any benefit on the client side (between client and switch). MAC spoofing is very simple to do. not much we can do about it.

Thanks,

Re: MAC Authentication

Stefan_K_ — Fri, 05 Mar 2021 22:23:56 GMT

If I remember this correctly, this behaviour is useful when you combine the MAC-Auth with your AD. I don’t know the exact procedure but I’m sure there is a use-case for this MAC Auth Password.

I might provide you with more details later...

Re: MAC Authentication

Chad5 — Fri, 05 Mar 2021 22:35:42 GMT

@Stefan K. Oh, I would be really interested to see a good use case. Thank you.

I am forced to use MAC-AUTH for devices on the network that don’t support 802.1X and looking for any way to improve the security if possible… Otherwise, anyone can yank a device, take it’s MAC, spoof it on their laptop and connect to network.

Thanks,

Re: MAC Authentication

StephanH — Sat, 06 Mar 2021 05:25:29 GMT

Hello Chad,

It does not improve the security, but if you put the devices with MAC auth into a separate network and then restrict their access via policies or ACLs, you at least reduce the impact of an intrusion. For example, only allow printers access to the print server with the necessary ports.

Re: MAC Authentication

Chad5 — Mon, 08 Mar 2021 23:29:27 GMT

Yes exactly. That is the plan. So I am leaving the default MAC auth password (which is basically the mac I think) without adding a password since it doesn’t add anything extra.

Thanks for the note.