MAC-Based Authentication

The MAC-based authentication is actually an internal policy processing by the AP. The AP has an internal table of MAC addresses from which it allows access to the network. The MAC address authentication configuration is described in Chapter 12, "WLAN Security Configuration Guidelines and Examples."


Because MAC-based authentication is not part of the 802.11 standard, different implementations can vary. For example, some block association, whereas others simply block the traffic.

In many APs, MAC-based authentication can be achieved when using either open authentication or shared-key authentication, with the enhancement that the AP enforces the policy of matching the authenticating MAC address to the AP's table of valid MAC addresses.

Trust Model and Assumptions

The MAC-based authentication method trusts the registered MAC addresses and assumes their integrity?that is, it assumes that the MAC addresses belong to the devices. The method also presumes that the receiver trusts the message because the message is not integrity protected.

Supporting AAA Infrastructure

Although no AAA mechanisms are used, there is a need for out-of-band registration of client MAC addresses. The APs require the STAs' MAC addresses, which must be manually entered into the APs. That is, registration can be done centrally but must be configured/provisioned on every AP. Although configuration tools can enable propagation of registration tables to many APs, population of the registration table (with MAC addresses) has no means for automation.


The manual population of the registration table does a fair amount of work for little security. If only a couple of MAC addresses are registered, this might be worth the effort. For more than a few, it is unlikely to be worth the bother.

Auditing and Accounting

There are no special auditing and accounting capabilities. The auditing and accounting of the open authentication method apply here, too.

Applications, Vulnerabilities, and Countermeasures

The MAC-based authentication method is suitable for home LANs and for small offices where the number of computers (and hence the registration table) is small. This method can be used as the first layer of defense to deny access to any arbitrary STA. This is not a convenient mechanism for public WLANs because it adds the burden of configuring the MAC addresses without additional security benefits.

MAC addresses are visible and prone to theft. For example, a hacker can hide the device's built-in MAC address and spoof other MAC addresses using a firmware overlay. In fact, the MAC address can be spoofed by many other mechanisms, such as driver support. There is no means to prevent an adversary from impersonating a valid client by simply using that device's identity (for example, its MAC address).

All the countermeasures of the open authentication method also apply to this method. Use VPN for a secure connection and, if someone is surfing the Internet, use a firewall (hardware or software).