cancel
Showing results for 
Search instead for 
Did you mean: 

MAC Authentication

MAC Authentication

Chad5
New Contributor III

Hello,

 

Am looking into enabling NAC on our network and unfortunately, I have to use MAC AUTH for some end devices that don’t support 802.1X. OF course, using MAC AUTH is nothing but a deterrent as it’s very easy to spoof MACs… 

 

However, I find when I enable MAC AUTH on XMC, the first question is what password to use. I am wondering what is the use of using a password or no password? My radius communication is protected by the shared key, in PAP (which EXOS does) anyways… it’s only between switch and NAC so what point is it to add a password? if someone uses a device with the same MAC, they get access to network anyways.

 

Any insight would be great 🙂

 

Thanks,

1 ACCEPTED SOLUTION

StephanH
Valued Contributor III

Hello Chad,

It does not improve the security, but if you put the devices with MAC auth into a separate network and then restrict their access via policies or ACLs, you at least reduce the impact of an intrusion. For example, only allow printers access to the print server with the necessary ports.

Regards Stephan

View solution in original post

7 REPLIES 7

Chad5
New Contributor III

Yes exactly. That is the plan. So I am leaving the default MAC auth password (which is basically the mac I think) without adding a password since it doesn’t add anything extra.

 

Thanks for the note.

StephanH
Valued Contributor III

Hello Chad,

It does not improve the security, but if you put the devices with MAC auth into a separate network and then restrict their access via policies or ACLs, you at least reduce the impact of an intrusion. For example, only allow printers access to the print server with the necessary ports.

Regards Stephan

Chad5
New Contributor III

@Stefan K. Oh, I would be really interested to see a good use case. Thank you.

 

I am forced to use MAC-AUTH for devices on the network that don’t support 802.1X and looking for any way to improve the security if possible… Otherwise, anyone can yank a device, take it’s MAC, spoof it on their laptop and connect to network. 

Thanks,

Stefan_K_
Valued Contributor

If I remember this correctly, this behaviour is useful when you combine the MAC-Auth with your AD. I don’t know the exact procedure but I’m sure there is a use-case for this MAC Auth Password. 

I might provide you with more details later...

GTM-P2G8KFN