Chris's Wiki :: blog/tech/AvoidingMACBlocks Commentshttps://utcc.utoronto.ca/~cks/space/blog/tech/AvoidingMACBlocks?atomcommentsDWiki2011-08-08T15:30:57ZRecent comments in Chris's Wiki :: blog/tech/AvoidingMACBlocks.From 65.61.116.102 on /blog/tech/AvoidingMACBlockstag:CSpace:blog/tech/AvoidingMACBlocks:3827bf93ec70c4e50c83a52200e79beb6a728bafFrom 65.61.116.102<div class="wikitext"><p>A friend who sets up municipal networks makes heavy use of EAP (IIRC 802.1x / PEAP) and tells me it has eliminated all "rogue" devices on their networks. If you need more than access control, IPSec or SSL VPN is probably the way to go. This is my favorite approach as it moves crypto closer to L7 which is almost always a good thing.</p>
<p>As you have pointed out, MAC addresses are far too easy to manipulate to use them for access control. I've always found it humorous that various "Wireless Security Best Practices" found online suggest you do things like use MAC access control, static IPs instead of DHCP, and disable SSID broadcast. These are all worthless practices and only hinder usability.</p>
</div>2011-08-08T15:30:57Z