cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
540
Views
3
Helpful
3
Replies

MAC-Filter using a Radius-Server - is it secure?

David Wagner
Level 1
Level 1

Hello,

we've a Cisco WLC 5.2 and implemented MAC-Authentication by using the Cisco ACS. The WLAN's a configured with WPA2-AES and PSK. So, my question is - how secure is this constelation? If not, how can i increase the security by using MAC-Filter/Cisco ACS. Thank you

3 Replies 3

jeff.kish
Level 7
Level 7

Hi,

WPA2-PSK is very secure as long as you're not using a short password. Cisco recommends at least 22 characters, I believe. WPA2-PSK can only be cracked via dictionary attacks, so the longer the password the better.

MAC authentication is NOT secure, and it adds nothing to your security. MAC addresses are broadcast unencrypted to the AP, as per the 802.11 standard, so any rogue client can listen to the MAC address and spoof it.

Your WPA2-PSK with a 22+ character password is as secure as the text file where you store it :) In other words, don't lose it!

ok. Shortly, what is the best practise to increase the security of my WLAN?

Most experts would say that upgrading to a WPA2 w/RADIUS would be the best practice. Choosing an EAP type that requires certificates is going to give you the best encryption and authentication.

However, increasing the security to this level can cause issues of its own. For one, you need to maintain a RADIUS server and, likely, a Certificate Authority of some kind. Managing certificates can be a pretty big hassle, requiring extra IT support time for installing new clients.

I've known plenty of clients that choose to do both encryption and authentication via WPA2-PSK. The security flaw here is that all someone needs to do is obtain the PSK to have access. And if you do lose the PSK and need to re-key all clients in your enterprise, that can be a bigger hassle than managing certificates. But if you keep the PSK locked-down, it provides a very easy-to-manage and secure means of access.

So, in short, WPA2 Enterprise (w/RADIUS) is the best-practice security solution. EAP-type is up to you, but EAP-PEAP and EAP-TLS are probably the two most popular.

I hope that helps. Is there anything more specific you'd like to know?

Jeff

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: