Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WPA-PSK with Mac authentication

I have a very small branch office, with a single cisco AIR-AP1231G-A-K9 running IOS 12.3.8 JA. I would like to have them authticate using WPA-PSK and lock them down by mac-address without getting *eap/RADIUS involved. I have it configured however whenever I enable the mac-authentication option my client can't connect. I have verified the the mac-address in the mac-authentication DB is correct. I thought I had seen a tech note stating that after 12.* that this can't be done, but I can't find the tech note. Can anyone confirm this? Is there something I'm missing?



Re: WPA-PSK with Mac authentication

MAC filtering is worthless in every way as a security measure. IMO, you're better off just dropping it.

As long as you use a long, strong PSK, and change it periodically, you should be OK.

"Strong" implies a variety of upper and lower case letters , numbers, and punctuation (including spaces), and no "dictionary" words (complete words that you'd find in a dictionary ... substitute numbers for letters, for example).

Some people like to make it from using the first letters of a phrase that it easy for your users to remember.

Regardless of how you come up with it, make it long as possible, and mix up the characters.

It takes literally minutes to (from scratch) sniff your wireless, and change to an active MAC, and begin an attack. MAC filtering is not worth the effort for the amount of security it offers.

Good Luck


New Member

Re: WPA-PSK with Mac authentication

Thanks for your input Scott, where the AP is located I'm not too concered about an attack. Even if someone wanted to take down the AP it would be hard to get a signal. The MAC filter is just to control the client access. Yes, I know that mac-addresses can be spoofed, but the small user comunity that is there can just pick up a phone and say I have a new laptop I need to get on and they would be permitted. We are actually down grading them from using eap-tls as the security, becuase they won't be accessing corporate resources except through a internet webportal.