Chapter 8 Security Setup

Security Overview

MAC address—The access point relays the wireless client device’s MAC address to a RADIUS server on your network, and the server checks the address against a list of allowed MAC addresses. If you don’t have a RADIUS server on your network, you can create the list of allowed MAC addresses on the access point’s Address Filters page. Devices with MAC addresses not on the list are not allowed to authenticate. Intruders can create counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication. However, MAC-based authentication provides an alternate authentication method for client devices that do not have EAP capability. See the “Setting Up MAC-Based Authentication” section on page 8-21for instructions on enabling MAC-based authentication.

Figure 8-3shows the authentication sequence for MAC-based authentication.

Figure 8-3 Sequence for MAC-Based Authentication

Wired LAN

 

Client

Access point

Server

 

device

or bridge

 

 

 

 

1. Authentication request

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2. Authentication success

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

3. Association request

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

65584

 

4. Association response

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

(block traffic from client)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

5. Authentication request

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

6. Success

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

7. Access point or bridge unblocks

 

 

 

 

 

 

 

traffic from client

Open—Allows any device to authenticate and then attempt to communicate with the access point. Using open authentication, any wireless device can authenticate with the access point, but the device can only communicate if its WEP keys match the access point’s. Devices not using WEP do not attempt to authenticate with an access point that is using WEP. Open authentication does not rely on a RADIUS server on your network.

Figure 8-4shows the authentication sequence between a device trying to authenticate and an access point using open authentication. In this example, the device’s WEP key does not match the access point’s key, so it can authenticate but not pass data.

Cisco Aironet 1200 Series Access Point Software Configuration Guide

 

OL-2159-05

8-5

 

 

 

Page 167
Image 167
Cisco Systems DL-2159-05 manual Wired LAN Client