MAC Authentication: An incongruous concept

The idea that a MAC address, the globally unique hardware address of a NIC, could be used in authentication is ridiculous. MAC addresses, both easily discovered and altered, don't provide any valid proof of identity other than it's intended use case???as a way for layer two devices to exchange frames between each other. Yet, we hear "MAC authentication" used to refer to white-listing hosts by MAC address. That bugs me. Authentication means that an identity has been validated in some way. Entering a username and password at a login screen means you know something public, the user name, and something private, the password. An authentication system takes the user name and validates the password using some predefined mechanism. In the case of the Password Authentication Protocol (PAP), a RADIUS server takes your username, looks up the associated password and compares that to the password that was entered. If they match, you have been authenticated. Many more secure password schemes have been developed.

While we can argue the relative strength of username and passwords, and yes, a password based authentication can be made resistant to common attacks like brute force and dictionary guessing. If you really want stronger authentication???better assurance that a user is who they say they are???you can deploy other mechanisms like tokens or biometrics. You can even combine authentication methods. The salient point is that there is an identifier like a user name and a secret like a password. Proving knowledge of both authenticates you.

MAC authentication commonly means that a network device is identified by it???s MAC address and makes the further common, but in a security sense, unfounded assumption that it proves the device is who it says it is. For example, my laptop NIC has a MAC address of 00:15:58:30:58:6F. But I can change the MAC address to impersonate another network device by editing the network properties of that NIC. In all the years of using network computers, I have never had to change my MAC. But I could. So can you. So can an attacker. It???s trivial.

Nearly all NAC products have trouble dealing with unmanageable network devices like printers, network cameras, etc. Unlike guest users that can be forced to log in through a web portal like we see in hotels and hot-spots. Network devices don???t have the functionality. So if you deploy NAC, you will probably have to put them all into a special VLAN that doesn???t use NAC enforcement or use "MAC Authentication" to allow those devices onto the network.

MAC authentication means white listing and white listing is generally thought to be bad. Whitelisting is like giving your users accounts with usernames and no passwords and then trusting them to always use their own username. Most will, but some won???t and an attacker certainly won???t. It???s the attacker we are worried about, otherwise there isn???t much use for NAC, right?There are ways to mitigate the big, gaping hole that whitelisting opens up. For example, in-line NAC appliances can be configured to only allow some traffic to and from a MAC address. Post connect monitoring like an IDS/IPS can monitor traffic to and from a host and attempt to identify malicious or anomalous behavior. But those features are relatively rare in the NAC universe.

When you are investigating a NAC product, find out how network devices like printers are handled. If it is just a MAC whitelist, then you have to determine if that is acceptable and what, if anything, you can do with your existing or planned infrastructure you can do thwart impersonating a MAC and try not to rely on phantom authentication.

Ps: Others have used the term "MAC authentication" that I think are acceptable. I Googled for "mac authentication" while writing this and the second hit was a Cisco configuration manual that describes using a MAC address as an identifier with LEAP. But if you read that doc, you find that a password is used to authenticate the device. But generally speaking MAC authentication is just identifying a MAC.