user manual
8-5
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-05
Chapter 8 Security Setup
Security Overview
• MAC address—The access point relays the wireless client device’s MAC address to a RADIUS
server on your network, and the server checks the address against a list of allowed MAC addresses.
If you don’t have a RADIUS server on your network, you can create the list of allowed MAC
addresses on the access point’s Address Filters page. Devices with MAC addresses not on the list
are not allowed to authenticate. Intruders can create counterfeit MAC addresses, so MAC-based
authentication is less secure than EAP authentication. However, MAC-based authentication
provides an alternate authentication method for client devices that do not have EAP capability. See
the “Setting Up MAC-Based Authentication” section on page 8-21 for instructions on enabling
MAC-based authentication.
Figure 8-3 shows the authentication sequence for MAC-based authentication.
Figure 8-3 Sequence for MAC-Based Authentication
•
Open—Allows any device to authenticate and then attempt to communicate with the access point.
Using open authentication, any wireless device can authenticate with the access point, but the device
can only communicate if its WEP keys match the access point’s. Devices not using WEP do not
attempt to authenticate with an access point that is using WEP. Open authentication does not rely on
a RADIUS server on your network.
Figure 8-4 shows the authentication sequence between a device trying to authenticate and an access
point using open authentication. In this example, the device’s WEP key does not match the access
point’s key, so it can authenticate but not pass data.
Access point
or bridge
Wired LAN
Client
device
Server
1. Authentication request
2. Authentication success
3. Association request
4. Association response
(block traffic from client)
5. Authentication request
6. Success
7. Access point or bridge unblocks
traffic from client
65584