Granting network access based on the MAC address is not new; it’s been around since the days of LAAs in Token Ring and Ethernet hubs (probably before that too, but that’s as far back as I go). Secondly, it is not terribly secure when compared to other network access methods like EAP, and SSL but the increased deployment of MAC authentication in enterprise networks is definitely happening and for some good reasons.
Instead of locking MAC addresses to Ports, which has proven to be administratively cost prohibitive MAC Authentication leverages a database of MAC addresses either on a discreet system like Great Bay’s Beacon Endpoint Profiler or a white-list of MAC addresses that reside on the RADIUS server itself. On switches its called MAC-Auth-Bypass in Cisco speak, but the major networking vendors all have their own flavor of MAC Authentication on their switches
The primary motivators we’re hearing from enterprise organizations for deploying MAC authentication are:
For increased security -
Although not as strong as supplicant-based 802.1X, if you subscribe to the locked door theory (you know - the one that says most criminals will check the door and if its locked they’ll move on without ever checking to see how strong the lock is) then MAC authentication is a meaningful addition to the security of the enterprise LAN. If you can detect MAC Spoofing, which is the way to defeat MAC authentication, then MAC authentication is that much more secure.
As a precursor to stronger authentication or NAC -
MAC authentication is an important first step in a phased approach to NAC and/or 802.1X. In some cases, customers are using MAC authentication to vet the 802.1X control plane prior to enforcing authentication or to overcome challenges such as PXE boot or login scripts that prove difficult to accommodate in an 802.1X deployment. In addition, it remains the method for granting network access for devices such as printers, phones, UPS, WLAN APs, etc for the life of the deployment.
To provide an answer to the question “do you know what is attached to your network?” -
This question, and the ones related to it, such as “how do you know when a new device is plugged in?”, “how do you maintain a history of endpoint addressing and locations?” and “how do you know which endpoints in the network are actually yours?” can all be answered through the deployment of MAC authentication. Depending on how you gather and maintain the database of endpoints this can be a system that provides important contextual data beyond the MAC such as identity, IP address, and location.
Too much diversity for a client based approach -
It isn’t uncommon for companies to research the deployment of 802.1X and/or NAC and realize that the endpoint landscape in their network is just too diverse to make the deployment of client meaningful. Although this can be true in any network the most common candidates for making this decision are health care (due to patient care systems), Energy (really anyone with SCADA systems), and manufacturing all of which have highly diverse endpoint types
There are those that will look down their nose and proclaim that MAC authentication isn’t secure, but I would argue that it’s a meaningful addition to enterprise network security and dramatically easier and less risky to deploy than many of the alternatives.
Subscribe