This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

MAC Authentication

MAC Authentication

Go to solution
Chad5
Contributor

‎03-04-2021 09:07 PM

Hello,

 

Am looking into enabling NAC on our network and unfortunately, I have to use MAC AUTH for some end devices that don’t support 802.1X. OF course, using MAC AUTH is nothing but a deterrent as it’s very easy to spoof MACs… 

 

However, I find when I enable MAC AUTH on XMC, the first question is what password to use. I am wondering what is the use of using a password or no password? My radius communication is protected by the shared key, in PAP (which EXOS does) anyways… it’s only between switch and NAC so what point is it to add a password? if someone uses a device with the same MAC, they get access to network anyways.

 

Any insight would be great 🙂

 

Thanks,

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
StephanH
Valued Contributor III

‎03-05-2021 09:25 PM

Hello Chad,

It does not improve the security, but if you put the devices with MAC auth into a separate network and then restrict their access via policies or ACLs, you at least reduce the impact of an intrusion. For example, only allow printers access to the print server with the necessary ports.

Regards Stephan

View solution in original post

0 Kudos
7 REPLIES 7

Go to solution
Chad5
Contributor

‎03-05-2021 02:18 PM

Thank you for the replies.

 

I am familiar with the various options for MAC auth user/password. what I was eluding to is that having a password does not add to the security of MAC AUTH (if a key is chosen for example). It only adds a password between switch and radius server, where is already a shared key. It does not add any benefit on the client side (between client and switch). MAC spoofing is very simple to do. not much we can do about it.

Thanks,

0 Kudos

Go to solution
Miguel-Angel_RO
Valued Contributor II

‎03-04-2021 09:12 PM

Hi Chad,

 

You have to look on both sides for this.

On XMC what is possible AND on your switch to see what password options are common to both devices.

You’ll use the one you prefer, usually people stick to the MAC address as password.

Here a screenshot from an ERS switch:

adfdee7839554c4a93e4e27a51c1929f_5ccdb2ef-fa2d-4185-92a0-f54cfa4d8384.png

Mig

0 Kudos

Go to solution
Stefan_K_
Valued Contributor

‎03-04-2021 09:11 PM

Does this help: XMC MAC Authentication Settings | Extreme Networks Support Community ?

“when the new MAC is seen on the port the switch does generate radius request to the radius server. The request does have username and password. The username is the mac address. The password is what you can define.”

0 Kudos
GTM-P2G8KFN