Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

MAC Authentication: An incongruous concept

The idea that a MAC address, the globally unique hardware address of a NIC, could be used in authentication is ridiculous. MAC addresses, both easily discovered and altered, don't provide any valid proof of identity other than it's intended use case???as a way for layer two devices to exchange frames between each other. Yet, we hear "MAC authentication" used to refer to white-listing hosts by MAC address. That bugs me.
Authentication means that an identity has been validated in some way. Entering a username and password at a login screen means you know something public, the user name, and something private, the password. An authentication system takes the user name and validates the password using some predefined mechanism. In the case of the Password Authentication Protocol (PAP), a RADIUS server takes your username, looks up the associated password and compares that to the password that was entered. If they match, you have been authenticated. Many more secure password schemes have been developed.

While we can argue the relative strength of username and passwords, and yes, a password based authentication can be made resistant to common attacks like brute force and dictionary guessing. If you really want stronger authentication???better assurance that a user is who they say they are???you can deploy other mechanisms like tokens or biometrics. You can even combine authentication methods. The salient point is that there is an identifier like a user name and a secret like a password. Proving knowledge of both authenticates you.

MAC authentication commonly means that a network device is identified by it???s MAC address and makes the further common, but in a security sense, unfounded assumption that it proves the device is who it says it is. For example, my laptop NIC has a MAC address of 00:15:58:30:58:6F. But I can change the MAC address to impersonate another network device by editing the network properties of that NIC. In all the years of using network computers, I have never had to change my MAC. But I could. So can you. So can an attacker. It???s trivial.

Nearly all NAC products have trouble dealing with unmanageable network devices like printers, network cameras, etc. Unlike guest users that can be forced to log in through a web portal like we see in hotels and hot-spots. Network devices don???t have the functionality. So if you deploy NAC, you will probably have to put them all into a special VLAN that doesn???t use NAC enforcement or use "MAC Authentication" to allow those devices onto the network.

MAC authentication means white listing and white listing is generally thought to be bad. Whitelisting is like giving your users accounts with usernames and no passwords and then trusting them to always use their own username. Most will, but some won???t and an attacker certainly won???t. It???s the attacker we are worried about, otherwise there isn???t much use for NAC, right?

  • 1