machine authentication security risk with wireless
I have machine authentication enabled in my network for wireless users and caching for 24 hours. It appears that after machine authentication with domain, acs stores the mac address of wireless card into the cache as successfull authentication. so any user facking same mac address on the pc gets authenticated with acs server as its cached for 24 hours. so if the non legitmate user knows any legitmate mac address (Calling-station-id), he could access the network.
Is there any way we can make machine authentication better from security point of view?
Re: machine authentication security risk with wireless
Machine authentication is not MAC Address Authentication, it users Machine Credentials (machine user/pass or certificate) to authenticate to the ACS. If a user simpily spoofs a MAC Address they do not have the required credentials required to authenticate to your network. On the other hand if a user with a valid username/password or certificte spoofs the MAC address on an non corporate machine they could connect a non corporate asset to the wireless network. In either case the user connecting still has valid credentials to your network so the risk minimal.
If there is a big concern of this you could considder adding a NAC (Network Admission Control) solution to your wireless network where you can do more extensive checks to the machine before providing it access to the network. If you are interested you can find more information on Cisco's offerring here: http://www.cisco.com/en/US/products/ps6128/index.html
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :