Policy Enforcement using MAC Authentication

Overview

Media Access Control (MAC) authentication is used to authenticate devices based on their physical MAC addresses. Using MAC authentication IPS accepts the device MAC address as user credentials, matches it with the local database or LDAP server and then assigns the port connecting the device to a predetermined VLAN. MAC addresses can be easily spoofed so we recommend you to create separate VLANs or filters specifically for devices using MAC authentication. For example, you can create separate a special VLAN or separate filters for each of the device type such as printers, VOIP phones, and so on. You can also use Profiler for device validation and MAC authentication. For more information, see Profiler.

MAC based authentication is not as secure as agent access or agentless access authentication. MAC addresses are not generally guarded as secrets, so an attacker can spoof a MAC address and impersonate a device to gain network access. To reduce risk of an exploit, create a special VLAN for each device type.