How secure is 802.1x EAP and should I add MAC authentciation to increase security?

Summary

Security level provided by 802.1x EAP, adding MAC authentication, using 802.1x+MAC authentication option

Question

How secure is 802.1x and should I add MAC authentciation to increase security?

Customer Environment

Wireless Clients using Enterprise (802.1x) authentication

Resolution

802.1x is a very secure method of protecting your wireless network. 

Each time the device connects the user configured on the device is authenticated against a RADIUS server and is given a unique encryption key that changes every 90 seconds. 

Removing a user from the Active Directory will block device access based on that account.  Unique and changing encryption keys make it almost impossible to sniff customer traffic in the air.

Additional authentication using the MAC address is redundant and unnecessary. 

The option 802.1x EAP + MAC Address found in Configure::WLAN's under Authentication Options is a special feature for a specific customer that uses an insecure version of 802.1x (EAP-MD5) that does not include encryption. User devices are authenticated with 802.1x or MAC address authentication, not both. This feature is really not useful for other customers.

MAC authentication is really difficult to administer since you must gather the MAC address of all devices and populate a RADIUS database with the MAC address prior to the device getting access.  If using Microsoft NPS or IAS you must also decrease the password security requirements to permit the MAC address to be used as a password. 

At this moment 802.1x with AES encryption is considered the most secure solution for wireless networks but requires configuring each device with the correct EAP method and authentication credentials.

 

Article Number:
000002443

Updated:
August 18, 2020 03:49 AM (over 4 years ago)

Tags:
Configuration, Installation, ZoneDirector

Votes:
10

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close