MAC-Based Access Control is one method for preventing unauthorized access to the Wireless LAN. This article discusses how MAC-Based Access Control works and provides step-by-step configuration instructions for Microsoft NPS and Dashboard.
- Finding Mac Address For Cisco Access Control Software
- Finding Mac Address For Cisco Access Control Router
- Finding Mac Address For Cisco Access Control Devices
MAC-Based Access Control
It is critical to control which devices can access the wireless LAN. MAC-Based Access Control can be used to provide port based network access control on MR series access points. With MAC-Based Access Control, devices must be authenticated by a RADIUS server before network access is granted on an SSID. The AP (RADIUS client) sends a RADIUS Access-Request to the RADIUS server containing the username and password of the connecting wireless device. The username and password combination is always the MAC address of the connecting device, lower case without delimiting characters. If a RADIUS policy exists on the server that specifies the device should be granted access and the credentials are correct, the RADIUS server will respond with an Access-Accept message. Upon receiving this message, the AP will grant network access to the device on the SSID. If the RADIUS server replies with an Access-Reject because the device does not match a policy, the AP will not grant network access. Below is a diagram showing a successful authentication.
![Mac Mac](/uploads/1/2/6/3/126356870/615015986.jpg)
Because the MAC address of the device is used as the credentials, an attacker can easily gain network access by spoofing the MAC address of previously authenticated clients. Below are the steps necessary in order, to deploy MAC-Based Access Control using Microsoft NPS. (Small tip: When you see a large number of MAC addresses showing up on a single port, there's a switch on that port into which those MAC addresses are connected. If you're all Cisco, 'show cdp neighbor' (or 'sh cdp nei') will get you to the next switch. Also, 'sh ip arp i 0/24' will show just the MAC address(es) on that port.).
Finding Mac Address For Cisco Access Control Software
MAC-Based Access Control has some security implications which must be considered. One is that it is not an association method that supports wireless encryption. Therefore clients will need to rely on upper layer protocols for encrypting traffic such as SSL or IPsec once a device has gained network access. The second being the credentials used. Because the MAC address of the device is used as the credentials, an attacker can easily gain network access by spoofing the MAC address of previously authenticated clients. Below are the steps necessary in order, to deploy MAC-Based Access Control using Microsoft NPS.
Finding Mac Address For Cisco Access Control Router
Checking MAC Addresses on a Cisco Switch
![Finding mac address for cisco access control devices Finding mac address for cisco access control devices](/uploads/1/2/6/3/126356870/995446803.gif)
show mac address-table
. The addresses arestored in a table called the bridge forwarding table or CAM table.Switches maintain a table of both static and dynamically learnedIP addresses. Cisco switches have a number of special built-inaddresses such as the 4 static address above. E.g., in the above case the first entry
0009.e897.d280
is a static entry reflecting the MAC address of the switch itself. In the above example, 3 systems are connected to the switch on ports 1, 12, and 18. Their addresses are reported as dynamicaddresses.You can view just the static or just the dynamic MAC addresses with thecommands
show mac address static
and show mac addressdynamic
.You can also view the MAC addresses using the
show interfacescommand
, but that gives you a lot of extra information as well,so it isn't as easy to see the MAC addresses for all interfaces at a glance.A MAC address for the switch can be seen in line 2 of the output ofthe command. A lot more information is actually output than what isshown.
The
show arp
command will also show some MAC addresses, butonly those with which the switch has had some communication at the IP level. The MAC addresses show Ethernet level communications.In the example above, the
192.168.0.50
address representsthe IP address of the system by which I was logged into the switch. Theswitch IP address was 192.168.0.4
.References:
Finding Mac Address For Cisco Access Control Devices
- Cisco administration 101: Understanding Ethernet MAC addresses
By: David Davis CCIE, MCSE+I, SCSA
Date: october 12, 2006
TechRepublic - How a Cisco Switch functions on an Ethernet network
By: David Davis, vExpert, VCP, CCIE 9369
Date: January 7, 2009
Petri IT Knowledgebase