Manage Port Access
WLANs can include or exclude devices based on MAC addresses using access control
lists (ACLs). For more on MAC filtering, skip ahead to Chapter 8, “Wireless Security:
Next Steps.” Although this type of ACL is easy to implement and manage on small
networks, they are tough to manage in large and dynamic networks because individual
MAC addresses have to be entered manually for each authorized device. Obviously,
this is laborious.
Attacking with MAC
Because ACLs use MAC addresses, they are also prone to attack. An intruder can sit
nearby and pick up traffic between the AP and authorized clients. Although the
contents of a WEP conversation are encrypted, the MAC address is not. As a result, an
attacker can do one of two things:
• The patient attacker can wait until the monitored station disassociates from the
network, and then simply reconfigure the network interface card (NIC) to
broadcast the intercepted MAC address.
• The impatient attacker can simply send a disassociate request to the AP, bumping
the legitimate station off the WLAN. Before the legitimate station can reassociate,
the attacker can associate with the spoofed MAC address.
The LAN Port Access Control framework, outlined by the 802.1X standard, helps
control access to one’s WLAN.
802.1X Protocols
802.1X can be thought of as a control inside your Ethernet switches and APs. The
control starts in the OFF position. It considers 802.1X requests and if it decides to grant
access, the control moves to the ON position. After a period of time, the station times
out or disconnects, moving the control back to the OFF position.
Although the credibility of WEP has taken a beating, it’s not totally out of the WLAN
security game. WEP is a necessary part of an 802.1X deployment. WEP, used in
conjunction with 802.1X, is far more secure than when it is used in static deployments.
An even more robust security mechanism, Wi-Fi Protected Access (WPA), is discussed
later in this chapter.
There are several protocols used with the 802.1X standard for LAN Port Access
Control. Within the 802.1X framework, a LAN station is not allowed to pass traffic
through an Ethernet device or WLAN AP until it has successfully authenticated itself.
After it has been authenticated, the client can pass traffic on the LAN.
There are 43 protocols that work within the framework of 802.1X authentication. Some
of the popular protocols you are likely to see in Cisco wireless networking include a
variety of Extensible Authentication Protocol (EAP) authentication frameworks. These
are covered in the sections that follow.