Specifications
10-5
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-5260-01
Chapter 10 Configuring Authentication Types
Understanding Authentication Types
MAC Address Authentication to the Network
The access point relays the wireless client device’s MAC address to a RADIUS server on your network,
and the server checks the address against a list of allowed MAC addresses. Intruders can create
counterfeit MAC addresses, so MAC-based authentication is less secure than EAP authentication.
However, MAC-based authentication provides an alternate authentication method for client devices that
do not have EAP capability. See the “Assigning Authentication Types to an SSID” section on page 10-10
for instructions on enabling MAC-based authentication.
Tip If you don’t have a RADIUS server on your network, you can create a list of allowed MAC addresses on
the access point’s Advanced Security: MAC Address Authentication page. Devices with MAC addresses
not on the list are not allowed to authenticate.
Tip If MAC-authenticated clients on your wireless LAN roam frequently, you can enable a MAC
authentication cache on your access points. MAC authentication caching reduces overhead because the
access point authenticates devices in its MAC-address cache without sending the request to your
authentication server. See the “Configuring MAC Authentication Caching” section on page 10-15 for
instructions on enabling this feature.
Figure 10-4 shows the authentication sequence for MAC-based authentication.
Figure 10-4 Sequence for MAC-Based Authentication
Access point
or bridge
Wired LAN
Client
device
Server
1. Authentication request
2. Authentication success
3. Association request
4. Association response
(block traffic from client)
5. Authentication request
6. Success
7. Access point or bridge unblocks
traffic from client
65584