Implementing Scalable Security for Devices Without 802.1x Support

Enterprises often implement 802.1x to control access to wired and wireless networks by authenticating computers using username/password or a digital certificate, but MAC Authentication Bypass (MAB) is used for devices that do not support enterprise 802.1x capability such as printers, industrial control systems, and operating technology machines. MAB is difficult to maintain and devices that use it are often permitted unrestricted network access without other security mitigations. Since MAC addresses are easy to impersonate, this authentication mechanism by itself is ineffective and easy to bypass, thereby granting attackers easy access to enterprise networks. This research analyzes how to implement MAB in a more scalable fashion and how to enhance it with security mitigations such as device fingerprinting for device validation and automated access control lists to restrict network resources a MAB-authenticated device can access.