Documentation shows that if you enable EAP with MAC, clients that do not support EAP authentication, will then be able to use MAC. Is it possible to enforce that clients use both EAP and MAC? I don't want to create a security hole by allowing clients to skip the EAP and only use MAC.
Here is the text from http://www.cisco.com that supports above. Is this true, or am I just being paranoid?
You can set up the access point to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using 802.11 open authentication first attempt MAC authentication; if MAC authentication succeeds, the client device joins the network. If MAC authentication fails, the access point waits for the client device to attempt EAP authentication
I think this statement was valid during the good old VxWorks days. I don't think this is the way IOS and Lightweight APs work any more. You can give it a try on a trial AP and see if you can bypass EAP by simply using a laptop with authorized MAC.
I have this exact same question on a 1242 AP running c1240-k9w7-mx.123-8.JA2
I was told that it is possible on this version of IOS to select the with EAP or MAC Authentication, but I have had no success in doing so.
On a windows XP SP2 clients with the WPS-IE update installed, I disabled encryption and have open authentication selected. Nonetheless, the client continues to ask for credentials to connect to the network (I also deleted the registry Keys that store these 802.1x credentials.