Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC-Filter using a Radius-Server - is it secure?


we've a Cisco WLC 5.2 and implemented MAC-Authentication by using the Cisco ACS. The WLAN's a configured with WPA2-AES and PSK. So, my question is - how secure is this constelation? If not, how can i increase the security by using MAC-Filter/Cisco ACS. Thank you


Re: MAC-Filter using a Radius-Server - is it secure?


WPA2-PSK is very secure as long as you're not using a short password. Cisco recommends at least 22 characters, I believe. WPA2-PSK can only be cracked via dictionary attacks, so the longer the password the better.

MAC authentication is NOT secure, and it adds nothing to your security. MAC addresses are broadcast unencrypted to the AP, as per the 802.11 standard, so any rogue client can listen to the MAC address and spoof it.

Your WPA2-PSK with a 22+ character password is as secure as the text file where you store it :) In other words, don't lose it!

New Member

Re: MAC-Filter using a Radius-Server - is it secure?

ok. Shortly, what is the best practise to increase the security of my WLAN?


Re: MAC-Filter using a Radius-Server - is it secure?

Most experts would say that upgrading to a WPA2 w/RADIUS would be the best practice. Choosing an EAP type that requires certificates is going to give you the best encryption and authentication.

However, increasing the security to this level can cause issues of its own. For one, you need to maintain a RADIUS server and, likely, a Certificate Authority of some kind. Managing certificates can be a pretty big hassle, requiring extra IT support time for installing new clients.

I've known plenty of clients that choose to do both encryption and authentication via WPA2-PSK. The security flaw here is that all someone needs to do is obtain the PSK to have access. And if you do lose the PSK and need to re-key all clients in your enterprise, that can be a bigger hassle than managing certificates. But if you keep the PSK locked-down, it provides a very easy-to-manage and secure means of access.

So, in short, WPA2 Enterprise (w/RADIUS) is the best-practice security solution. EAP-type is up to you, but EAP-PEAP and EAP-TLS are probably the two most popular.

I hope that helps. Is there anything more specific you'd like to know?