WPA 2 with Mac authentication

dstavros99 · ‎02-12-2007

Hi all,

I am faced with a dilemma. I have implemented a wireless network throughout our main building using wpa2 leap authenticating against Active directory. Now Security Engineer is griping that mac authentication be used in addition. The only reason I did not choose this option because I believe that the mac is transmitted with an initial packet and can be spoofed anyway not to mention the overhead of tracking all macs. Does anyone have any input on this issue that would help the argument of supporting or not supporting the authentication methods I just spoke of any help is greatly appreciated!

csannedhi · ‎02-12-2007

Well, if your security engineer is so dead set on adding MAC address to the authentication process even though he knows that MAC address can be spoofed(it's biggest vulnerability) - good luck with changing his mind.

I had experience with MAC authentication at the enterprise level. I used it along with WEP. Obviously there is no AD or RADIUS in place. Entire list of MAC addresses is kept on all APs to facilitate enterprise-wide roaming. Well, having a list of 300 MACs on the AP makes the authentication process painfully slow. I don't know how many clients you have and what kind of RADIUS server you are using. The impact will be different in your case.

Apart from slow authentication process because of gigantic list of MACs, it is very hard to keep up with all MACs because of new laptops and upgraded client adapters, etc. If the users make a fuss, your Security Engineer may change his mind.

HTH

dstavros99 · ‎02-12-2007

Thank you for the response, I feel the same way I really don't see the advantage and we are currently using WPA2. I just wanted to get a second opinion the security engineer I believe is only focused on Cissp concept instead of actual network design and implementation. Thanks again.