https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130783#M12331 <HTML><HEAD></HEAD><BODY><P><SPAN>check </SPAN><A class="jive-link-external-small" href="https://community.cisco.com/thread/2182372">https://supportforums.cisco.com/thread/2182372</A></P></BODY></HTML> Sat, 23 Feb 2013 23:04:48 GMT Saravanan Lakshmanan 2013-02-23T23:04:48Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130776#M12324 <P>We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is impliment straight forward MAC filtering. The problem I am having is the controller allows either any WLAN or only one WLAN, and a interface setting. I need to have each MAC be able to access several WLAN's but not all of them. Can anyone point me to a artcle or give me a quick idea of what I can do.I have basic WLAN's configured and have MAC filtering generally working. I cannot just use a user authentication becasue each user may have 20-30 devices, but not all of these devices should be allowed on all WLAN's and I do not want to rely on the user.</P><P></P><P>Thank you</P> Sun, 04 Jul 2021 06:08:38 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130776#M12324 ScottB2113 2021-07-04T06:08:38Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130777#M12325 <HTML><HEAD></HEAD><BODY><P>wlc supports dot1x and users through internal database. same user credentials can be used for multiple users.</P><P>using mac filter is not suggested since it is spoofable. </P><P></P><P>yes, currently mac filter on wlc supports 'allow only' for specific or all wlans. this config could be mixed with interface config and using radius on wlc.</P></BODY></HTML> Fri, 30 Nov 2012 16:48:38 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130777#M12325 Saravanan Lakshmanan 2012-11-30T16:48:38Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130778#M12326 <HTML><HEAD></HEAD><BODY><P>Thank you for the reply,</P><P></P><P>I understand a MAC is spoofable, I am only trying to manage a short term fix of limiting what networks a client can access for specific reasons.</P><P></P><P>I also believe that the mixure of ANY WLAN/ specific interface could somewhat do what I need however it does not appear that the interface has any affect. I just don't know if I am missing enabling it somewhere.</P><P></P><P>I cannot use a user credential becasue it is not about keeping USERS off certain networks it is about onlyt allowing certain clients on a network.</P></BODY></HTML> Fri, 30 Nov 2012 17:54:00 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130778#M12326 ScottB2113 2012-11-30T17:54:00Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130779#M12327 <HTML><HEAD></HEAD><BODY><P>WLC onboard radius can't control specific users to access only specific WLANs like external AAA server. it could be available in the future.</P><P></P><P>using mac filter can't map a MAC address to two different WLANs, it has to be either any WLAN or one specific WLAN since WLC doesn't allow duplicate mac filter entry for same mac address on its global mac address database. </P><P></P><P>Mapping MAC address to 'any wlan' tied to a specific interface may still not help on condition where different interface used for different wlan where that client intend to connect/access because of above bottleneck.</P><P></P><P>'however it does not appear that the interface has any affect'.</P><P>//Do you mean the client connects and able to pass traffic though it is not mapped to that interface.</P></BODY></HTML> Fri, 30 Nov 2012 19:05:20 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130779#M12327 Saravanan Lakshmanan 2012-11-30T19:05:20Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130780#M12328 <HTML><HEAD></HEAD><BODY><P>Thank you for the info. Most of what you say I though was the case. I did read that the interface is supposed to limit the traffic, not stop connecting but just stop the traffic. And some where I read this only works if AAA is enabled. However I cannot find anything more pointing to this. I know using the combination is not ideal but it would work for the interm. Your last question is correct, the client connects and can pass traffic (atleast ping). So for example SSID A is network 192.168.1.0/24 and is interface A, SSID B is 192.168.2.0/24 and is interface B. A routs to 10.10.10.0/24, b does not. It seems by the documentation that with WLAN set to ANY WLAN/Interface A that it should route. If it was changed to interface B it should not route. However it does.</P></BODY></HTML> Fri, 30 Nov 2012 19:17:12 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130780#M12328 ScottB2113 2012-11-30T19:17:12Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130781#M12329 <HTML><HEAD></HEAD><BODY><P>Open a TAC case and refer this link to get an fix for this issue.</P></BODY></HTML> Sat, 01 Dec 2012 13:37:19 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130781#M12329 Saravanan Lakshmanan 2012-12-01T13:37:19Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130782#M12330 <HTML><HEAD></HEAD><BODY><P>Looks like it is applicable only if AAA is configured for that WLAN.</P><P></P><P>– <IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-indent: -24px; background-color: #ffffff;" width="17" /><EM style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-indent: -24px; background-color: #ffffff;">interface_name</EM></P><P>—The name of the interface. This interface name is used to override the interface configured to the WLAN.</P><P></P><P><STRONG style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-indent: -34.560001373291016px; background-color: #ffffff;">Note </STRONG><IMG border="0" height="2" src="http://www.cisco.com/en/US/i/templates/blank.gif" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; text-indent: -34.560001373291016px; background-color: #ffffff;" width="6" />You must have AAA enabled on the WLAN to override the interface name.</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wpmkr1222223">http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wpmkr1222223</A></P></BODY></HTML> Fri, 07 Dec 2012 21:06:38 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130782#M12330 Saravanan Lakshmanan 2012-12-07T21:06:38Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130783#M12331 <HTML><HEAD></HEAD><BODY><P><SPAN>check </SPAN><A class="jive-link-external-small" href="https://community.cisco.com/thread/2182372">https://supportforums.cisco.com/thread/2182372</A></P></BODY></HTML> Sat, 23 Feb 2013 23:04:48 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130783#M12331 Saravanan Lakshmanan 2013-02-23T23:04:48Z https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130784#M12332 <HTML><HEAD></HEAD><BODY><P>We use ACS for this. We have groups on our ACS server and add the Mac addresses to the groups. Works great for us.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 24 Feb 2013 21:58:45 GMT https://community.cisco.com/t5/wireless/simple-mac-access-control-question-on-5508/m-p/2130784#M12332 Eric Lindsey 2013-02-24T21:58:45Z