Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

machine authentication security risk with wireless


I have machine authentication enabled in my network for wireless users and caching for 24 hours. It appears that after machine authentication with domain, acs stores the mac address of wireless card into the cache as successfull authentication. so any user facking same mac address on the pc gets authenticated with acs server as its cached for 24 hours. so if the non legitmate user knows any legitmate  mac address (Calling-station-id), he could access the network.

Is there any way we can make machine authentication better from security point of view?


Cisco Employee

Re: machine authentication security risk with wireless


     Machine authentication is not MAC Address Authentication, it users Machine Credentials (machine user/pass or certificate) to authenticate to the ACS.  If a user simpily spoofs a MAC Address they do not have the required credentials required to authenticate to your network.  On the other hand if a user with a valid username/password or certificte spoofs the MAC address on an non corporate machine they could connect a non corporate asset to the wireless network.  In either case the user connecting still has valid credentials to your network so the risk minimal.

     If there is a big concern of this you could considder adding a NAC (Network Admission Control) solution to your wireless network where you can do more extensive checks to the machine before providing it access to the network.  If you are interested you can find more information on Cisco's offerring here:


CreatePlease login to create content