How secure is 802.1x EAP and should I add MAC authentciation to increase security?
SummarySecurity level provided by 802.1x EAP, adding MAC authentication, using 802.1x+MAC authentication option
QuestionHow secure is 802.1x and should I add MAC authentciation to increase security?
Customer EnvironmentWireless Clients using Enterprise (802.1x) authentication
Resolution802.1x is a very secure method of protecting your wireless network.
Each time the device connects the user configured on the device is authenticated against a RADIUS server and is given a unique encryption key that changes every 90 seconds.
Removing a user from the Active Directory will block device access based on that account. Unique and changing encryption keys make it almost impossible to sniff customer traffic in the air.
Additional authentication using the MAC address is redundant and unnecessary.
The option 802.1x EAP + MAC Address found in Configure::WLAN's under Authentication Options is a special feature for a specific customer that uses an insecure version of 802.1x (EAP-MD5) that does not include encryption. User devices are authenticated with 802.1x or MAC address authentication, not both. This feature is really not useful for other customers.
MAC authentication is really difficult to administer since you must gather the MAC address of all devices and populate a RADIUS database with the MAC address prior to the device getting access. If using Microsoft NPS or IAS you must also decrease the password security requirements to permit the MAC address to be used as a password.
At this moment 802.1x with AES encryption is considered the most secure solution for wireless networks but requires configuring each device with the correct EAP method and authentication credentials.
August 18, 2020 03:49 AM (almost 3 years ago)
Configuration, Installation, ZoneDirector
This article is: