Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

wpa 2 with mac address authentication

Hi all,

At the moment we running IOS based AP's with "encryption mode ciphers aes-ccm tkip wep128" Together with this I am running MAC address authentication back to my ACS servers.

This works very well, however and auditor picked up the word "wep" and thats "insecure"

I dont want to lose the MAC authentication back to the ACS servers, but I am looking at a better for the encryption to work.

WPA would be a good way to go.

Now the only way that I know off to get MAC authentication working with WPA is my having a local acl ie something like this

dot11 association mac-list 700

dot11 syslog

dot11 ssid myssid

authentication open

authentication key-management wpa version 2

guest-mode

wpa-psk ascii 7 <key>

encryption mode ciphers aes-ccm

access-list 700 permit <MAC-address>   0000.0000.0000

access-list 700 deny   0000.0000.0000   ffff.ffff.ffff

username <MAC-address> password 7 <password>

username <MAC-address> autocommand exit

Any ideas how I can keep my MAC authentication on my ACS servers with a more secure way for the

encryption to work? - I am open for idea's

4 REPLIES

wpa 2 with mac address authentication

If you are just using a PSK this is true.  I beleive, how ever, that if you are using an EAP type you can still do mac authentication with WPA/WPA2.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: wpa 2 with mac address authentication

Would you have a sample config / document that can help with setting this up?

I get something like "Error : Both EAP and WPA-PSK cannot be configured on same ssid.To configure WPA-PSK disable EAP"

Re: wpa 2 with mac address authentication

Martin:
The clients that connect to this SSID, what security mechanism they use to connect?

only wep?

Rating useful replies is more useful than saying "Thank you"
New Member

Re: wpa 2 with mac address authentication

Right now yes, but I need to move it over to WPA.

Problem is WPA and Mac address does not work together, unless it's on a acl.

I tried moving to leap / peap, but my acs is auth service does not start once I enable that.

Did some reading on that, it seems like its a bug once Windows is updated. I have confirmed this by doing a clean windows install no patches. That works. - However, I can't have a unpatch server.

I am contemplating running wpa with the local acl.

But first class would be to have that on the ACS server - talk about a catch 22.

866
Views
0
Helpful
4
Replies
CreatePlease to create content