Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WPA2 and mac authentication

I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

4 REPLIES
Silver

Re: WPA2 and mac authentication

Hi Jared,

you can do this by setup the following:

Webinterface:

1. Securtiy -> Server Manager

Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".

2. Securtiy -> Advanced Securtiy

In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!

IOS Interface from config mode:

aaa group server radius rad_mac

server 10.20.40.37 auth-port 1645 acct-port 1646

and

aaa authentication login mac_methods group rad_mac

or

aaa authentication login mac_methods group rad_mac local (for local fallback)

I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!

Better use a setup with EAP-FAST or PEAP!

I hope that helps.

Best regards,

Frank

I hope that helps.

New Member

Re: WPA2 and mac authentication

I got that far, but I am still not seeing the mac authention portion work. I am looking at my ACS logs and I don't even seen an attemtp to authenticate the mac address to the ACS. I currently have open authentication set up. When I add the option with mac address, then the wireless breaks and I cannot use the Access Point any longer.

New Member

Re: WPA2 and mac authentication

Frank,

I just found an error message that states that mac authenication is not supported with wpa-spk. So it looks like I am stuck with EAP as I figured I would.

I was just trying it out to see if it was a possibility. Thanks for responding.

Silver

Re: WPA2 and mac authentication

Hi Jared,

you are totally right!

Have a look here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008054339e.shtml#supp

Sometimes RTFM helps.

;-))

I have learned something, too.

Best regards,

Frank

595
Views
0
Helpful
4
Replies