[Dshield] Wireless MAC Authentication options.

Hernandez, Moses MHernandez3 at mercymiami.org
Tue Aug 23 15:55:12 GMT 2005

As far as MAC Address Authentication, I would suggest using it only
where necessary. For wireless networks I would recommend PEAP (Protected
EAP) MS-CHAP-v2 or if you are thinking that you want to go proprietary
with a Cisco Protocol then I would use EAP-FAST. 

Protected EAP (MS-CHAP-V2) can be setup extremely simply. You need to
put a certificate on the Server that does the Authentication (RADIUS
Like Microsoft IAS, Cisco ACS, Funk Steel Belted Radius or something of
this nature). You will need to setup a WDS of some sort. Once you set
this up however you will have a very very secure wireless network with
WPA and it will be extremely easy to manage users who are allowed onto

Additionally 802.1x framework for authentication at the moment only
allows for Username/Password. The Framework design never considered the
fact that some network attached devices can not do username/password. At
this point Printers and other objects can do Mac-Authentication but my
rule of thumb for manageability and to reduce the amount of ways people
can get into the LAN/WAN through MAC address authentication should be no
more than 20%.

Now wireless is so widespread of a footprint I would never use MAC
authentication because MAC addresses can be spoofed and forged as a
logon method.

Moses Hernandez, CISSP

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Chandan
Sent: Monday, August 22, 2005 12:57 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Wireless MAC Authentication options.

Hi Chrish,

Your solution is not good. Because If somebody has spoofed mac address
then what you can do for it. Go for aunthetication method or AP ssid
And MAC authentication method will slow  down the speed.
Chandan Sharma

On 6/20/05, Chris Mitchell <cmitchell at smtusa.com> wrote:
> I have recently been contracted by a client of mine to implement a
> network for a small school (500 students).  I would like opinions on
> Address Authentication methods.  This is a Windows based network, and
> solution should be fairly simple so that it is manageable by the
> Any input is greatly appreciated.
> Thanks
> Chris
> -------------- Sponsor Message ------------------------------------
> Join us at SANSFIRE 2005 in Atlanta!
> The Internet Storm Center Conference.
> Details: http://www.sans.org/sansfire2005
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
IMPORTANT: The contents of this email and any attachments are confidential. They are intended for the 
named recipient(s) only.
If you have received this email in error, please notify the system manager or the sender immediately and do 
not disclose the contents to anyone or make copies thereof.
*** eSafe scanned this email for viruses, vandals, and malicious content. ***

More information about the list mailing list