Connecting Non-802.1X Devices to an Enterprise Network
- MAC Authentication Bypass
- Multiple SSIDs and VLANs
- Add Additional APs
- Use a Wireless Ethernet Bridge
- Use a Computer with ICS as a Bridge
Using 802.1X authentication with WPA2-Enterprise offers the greatest Wi-Fi security possible today. However, some legacy and even newer Wi-Fi devices can lack 802.1X support. Thus, some computers or devices might not be able to connect to the Enterprise wireless network. Nevertheless, there are ways to still provide connectivity to non802.1X devices.
In this article, you'll discover some techniques that can be used by both network administrators and end users.
If you're just a user of the Enterprise network, you should first check with the administrators before using the methods we'll discuss in the latter part of the article. This is because they can lessen the overall security of the network and potentially open access to unauthorized users.
This is also a good time to mention to administrators that they should do regular thorough network audits and Wi-Fi site surveys to catch users who are using these methods without permission. As an administrator, you should also look into implementing network intrusion solutions to help catch these types of vulnerabilities.
MAC Authentication Bypass
If you're the network administrator, you might consider implementing the MAC address authentication bypass feature of your RADIUS server, if supported by the server and switches. This method essentially lets non802.1X devices bypass the traditional 802.1X process altogether, but still lets them connect.
A list of authorized MAC addresses of client NICs would be maintained on the RADIUS server. Then when a non802.1X client tries to connect, the server would then check the MAC address of the client NIC against the list of authorized addresses.
The issue with this method is the lack of security. It's possible that if someone knows the list of authorized MAC addresses or sniffs the network and detects them, they could easily spoof the MAC address of their wireless NIC so they could connect.