MAC Authentication Primer
MAC address authentication itself is not a new idea. One classic flavor of this is port
security. Another flavor is the Cisco VLAN Management Policy Server (VMPS)
architecture. With VMPS, you can have a text file of MAC addresses and the VLANs to
which they belong. That file gets loaded into the VMPS server switch through TFTP. All
other switches then check with the VMPS server switch to see which VLAN those MAC
addresses belong to after being learned by an access switch. Also, you can define actions
for the switch to take if the MAC address is not in the MAC address text file. No other
security is enforced. Along the same lines as VMPS, another flavor legacy method is the
User-Registration Tool (URT), which uses the VLAN Query Protocol (VQP) and acts like
a VMPS. Wireless also has a version of this support available on most APs and/or
controllers. This base functionality for MAC address checking is already in place. For
example, wireless APs have the ability to initiate a Password Authentication Protocol (PAP)
authentication with a RADIUS server by using a client’s MAC address as a username/
password. Wireless devices can accomplish this based on the fact that initial associations
have already been made (and based on that association, traffic to/from a wireless network
interface card [NIC] is blocked). No such association currently exists in the wired space.
As described in this chapter, MAB represents an attempt to make a wired equivalent of this
functionality that integrates with 802.1X. Similar to the operation examined here, MAB in
the wireless space has its own similar security concerns—most notably, granting network
access on a MAC address. This is potentially a security risk because of the nature of the
authentication method used. MAC addresses can be easily mirrored or spoofed.