Mac authentication – Brocade Mobility Access Point System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 411
Brocade Mobility Access Point System Reference Guide
401
53-1003100-01
6
Before defining a 802.1x EAP, EAP-PSK or EAP MAC supported configuration on a WLAN, refer to
the following deployment guidelines to ensure the configuration is optimally effective:
•
Brocade recommends a valid certificate be issued and installed on devices providing 802.1X
EAP. The certificate should be issued from an Enterprise or public certificate authority to allow
802.1X clients to validate the identity of the authentication server prior to forwarding
credentials.
•
If using an external RADIUS server for EAP authentication, Brocade recommends the round trip
delay over the WAN does not exceed 150 ms. Excessive delay over a WAN can cause
authentication and roaming issues and impact wireless client performance.
MAC Authentication
MAC is a device-level authentication method used to augment other security schemes. MAC can be
used open, with WEP 64 or WEP 128, KeyGuard, TKIP or CCMP.
MAC authentication enables device-level authentication by permitting WLAN access based on
device MAC address. MAC authentication is typically used to augment WLAN security options that
do not use authentication (such as static WEP,
WPA-PSK and WPA2-PSK). MAC authentication can also be used to assign VLAN memberships,
Firewall policies and time and date access restrictions.
MAC authentication can only identify devices, not users. MAC authentication only references a
client’s wireless interface card MAC address when authenticating the device, it does not
distinguish the device’s user credentials. MAC authentication is somewhat poor as a standalone
data protection technique, as MAC addresses can be easily spoofed by hackers who can mimic a
trusted device within the network.
MAC authentication is enabled per WLAN, augmented with the use of a RADIUS server to
authenticate each device. A device’s MAC address can be authenticated against an access point’s
local RADIUS server (if supported) or centrally (from a datacenter). For RADIUS server compatibility,
the format of the MAC address can be forwarded to the RADIUS server in non-delimited and or
delimited formats:
To configure MAC authentication on a WLAN:
1. Select the Configuration tab from the Web UI.
2. Select Wireless.
3. Select Wireless LANs to display a high level display of existing WLANs.
4. Select the Add button to create an additional WLAN, or select an existing WLAN and Edit to
modify its security properties.
5. Select Security.
6. Select MAC as the Authentication Type.
7. Selecting MAC enables the radio buttons for the Open, WEP 64, WEP 128, WPA/WPA2-TKIP,
WPA2-CCMP and Keyguard encryption options as additional measures for the WLAN.
8. Either select an existing AAA Policy from the drop-down menu or select the Create icon to the
right of the AAA Policy parameter to display a screen where new AAA policies can be created. A
default AAA policy is also available if configuring a WLAN for the first time and there’s no
existing policies. Select the Edit icon to modify the configuration of a selected AAA policy.