MAC-Filter using a Radius-Server - is it secure?

Unanswered Question
Mar 26th, 2009

Hello,

we've a Cisco WLC 5.2 and implemented MAC-Authentication by using the Cisco ACS. The WLAN's a configured with WPA2-AES and PSK. So, my question is - how secure is this constelation? If not, how can i increase the security by using MAC-Filter/Cisco ACS. Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
jeff.kish Thu, 03/26/2009 - 07:32

Hi,

WPA2-PSK is very secure as long as you're not using a short password. Cisco recommends at least 22 characters, I believe. WPA2-PSK can only be cracked via dictionary attacks, so the longer the password the better.

MAC authentication is NOT secure, and it adds nothing to your security. MAC addresses are broadcast unencrypted to the AP, as per the 802.11 standard, so any rogue client can listen to the MAC address and spoof it.

Your WPA2-PSK with a 22+ character password is as secure as the text file where you store it :) In other words, don't lose it!

David Wagner Thu, 03/26/2009 - 08:23

ok. Shortly, what is the best practise to increase the security of my WLAN?

jeff.kish Mon, 03/30/2009 - 06:03

Most experts would say that upgrading to a WPA2 w/RADIUS would be the best practice. Choosing an EAP type that requires certificates is going to give you the best encryption and authentication.

However, increasing the security to this level can cause issues of its own. For one, you need to maintain a RADIUS server and, likely, a Certificate Authority of some kind. Managing certificates can be a pretty big hassle, requiring extra IT support time for installing new clients.

I've known plenty of clients that choose to do both encryption and authentication via WPA2-PSK. The security flaw here is that all someone needs to do is obtain the PSK to have access. And if you do lose the PSK and need to re-key all clients in your enterprise, that can be a bigger hassle than managing certificates. But if you keep the PSK locked-down, it provides a very easy-to-manage and secure means of access.

So, in short, WPA2 Enterprise (w/RADIUS) is the best-practice security solution. EAP-type is up to you, but EAP-PEAP and EAP-TLS are probably the two most popular.

I hope that helps. Is there anything more specific you'd like to know?

Jeff

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode