MAC Authentication Primer

MAC address authentication itself is not a new idea. One classic flavor of this is port security. Another flavor is the Cisco VLAN Management Policy Server (VMPS) architecture. With VMPS, you can have a text file of MAC addresses and the VLANs to which they belong. That file gets loaded into the VMPS server switch through TFTP. All other switches then check with the VMPS server switch to see which VLAN those MAC addresses belong to after being learned by an access switch. Also, you can define actions for the switch to take if the MAC address is not in the MAC address text file. No other security is enforced. Along the same lines as VMPS, another flavor legacy method is the User-Registration Tool (URT), which uses the VLAN Query Protocol (VQP) and acts like a VMPS. Wireless also has a version of this support available on most APs and/or controllers. This base functionality for MAC address checking is already in place. For example, wireless APs have the ability to initiate a Password Authentication Protocol (PAP) authentication with a RADIUS server by using a client's MAC address as a username/ password. Wireless devices can accomplish this based on the fact that initial associations have already been made (and based on that association, traffic to/from a wireless network interface card [NIC] is blocked). No such association currently exists in the wired space. As described in this chapter, MAB represents an attempt to make a wired equivalent of this functionality that integrates with 802.1X. Similar to the operation examined here, MAB in the wireless space has its own similar security concerns—most notably, granting network access on a MAC address. This is potentially a security risk because of the nature of the authentication method used. MAC addresses can be easily mirrored or spoofed.

+1 0

Post a comment