Mike,
As others have stated, MAC authentication for full network access is not
considered a best practice. With the ease of spoofing MAC addresses, it should
be considered a security risk.
That said, at Emory we DO use MAC auth for users to bypass the captive portal
for our GUEST network. Our Guest network is severely restricted (bandwidth
limited with only web and VPN access). We implemented the MAC auth bypass last
fall to accommodate what we call PWD's - Personal Wireless Devices. These are
defined as devices can connect to a wireless network, but can't do strong
authentication. Some examples are iPhones, PDAs, dual mode cell phones
(cell/Wi-Fi - like T-Mobile), game consoles, TiVos, etc. This was implemented
specifically to support iPhones in the dorms where policy dictates no guest
access. While this will be a moot point after July 11th (the iPhone is getting
an 802.1x supplicate that works very well according to the reports I've heard),
other devices still need access. Try telling a dorm resident that they cannot
connect their TiVo or game console to the wireless network...
While we've built an web app to enter MAC addresses and associated information
(NetID, type of device, etc.), we restrict its use to a very limited number of
IT staff. The registration process is manual in that we need to physically see
that the device to get its MAC and ensure it is a PWD. For Move-In Weekend,
the IT Staff can register devices in the dorms. During the school year,
students must bring their devices to the clean room to get them registered. We
have a lot of iPod Touches registered in January - I guess it was a popular
Christmas gift.
The PWDs have a very restrictive role on the network, similar to our guest
access role. Since we know what the device is and who owns it, we do open some
additional ports such as secure mail and TiVo support. We eventually want to
put different devices in specific roles; iPhones get different roles from TiVos
or game consoles. That enhancement will be completed when I have time - may be
this fall.
Let me know if you have any questions...
>>-> Stan Brooks - CWNA/CWSP
Emory University
Network Communications Division
404.727.0226
AIM/Y!/Twitter: WLANstan
MSN: [EMAIL PROTECTED]
GoogleTalk: [EMAIL PROTECTED]
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[EMAIL
PROTECTED] On Behalf Of Michael Dickson
Sent: Tuesday, July 01, 2008 9:58 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Using MAC Authentication
We are considering using MAC authentication to allow users to bypass the
captive portal web login page to access our wireless network. This is
considered sort of a stop-gap measure until 802.1x is fully implemented.
Is anyone maintaining (by harvesting or user-initiated manual entry) a
MAC auth table after initial captive portal login so that users can
bypass the web login page every time they connect?
We are considering a manual opt-in process instead of an auto-harvest
and we would not harvest MAC addresses of folks with guest accounts.
Is this generally a good idea? What is the down side of not making users
sign in every session?
As an aside, we are considering extending the dhcp lease times and the
reauth intervals so that users don't have to log in again if they walk
to class from their dorms, etc.
We are an Aruba shop. We currently have an open SSID, no encryption,
with captive portal as the only point of authentication. 802.1x rollout
expected soon.
As always, thanks for the help!
Mike
***************************************************************
Michael Dickson Phone: 413-545-9639
Network Analyst [EMAIL PROTECTED]
University of Massachusetts
Network Systems and Services
***************************************************************
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
This e-mail message (including any attachments) is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. If the reader of this message is not the intended
recipient, you are hereby notified that any dissemination, distribution
or copying of this message (including any attachments) is strictly
prohibited.
If you have received this message in error, please contact
the sender by reply e-mail message and destroy all copies of the
original message (including attachments).
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
