https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125319#M25159 <HTML><HEAD></HEAD><BODY><P>Nah... You have it configured wrong like George mentioned. It's both or none at all.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 27 Jan 2013 16:06:33 GMT Scott Fella 2013-01-27T16:06:33Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125314#M25154 <P>I am curious if I can do an either or sitution with a single SSID.</P><P>If you are on the mac filtering list then you gain access to the network, if not then enter your WPA2-ENT credentials.</P><P>I have a minimal ammount of users that need mac filtering, but do not want to give them there own SSID.</P><P></P><P>Let me know what you think, and if this is even possible.</P><P>Cisco WLC 5508 7.4 code</P> Sun, 04 Jul 2021 06:24:41 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125314#M25154 richardwang5000 2021-07-04T06:24:41Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125315#M25155 <HTML><HEAD></HEAD><BODY><P>In addition to authentication, wpa also provides for an encrypted channel over the wireless link. Mac filtering is just an acl; if you pass the filter you're in, but there's no encryption. I don't think these two are interchangeable as an either/or solution.<BR /><BR />Sent from Cisco Technical Support iPad App</P></BODY></HTML> Thu, 24 Jan 2013 03:39:02 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125315#M25155 Jeff Van Houten 2013-01-24T03:39:02Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125316#M25156 <HTML><HEAD></HEAD><BODY><P>Just to add... You can do both at the same time, but its both together not either or. Since you define both on a SSID, the WLC is expecting that the MAC address of the device is in the list and then the pre shared key is valid.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Thu, 24 Jan 2013 03:54:32 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125316#M25156 Scott Fella 2013-01-24T03:54:32Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125317#M25157 <HTML><HEAD></HEAD><BODY><P>hi Scott,</P><P>&nbsp; If there is mac filtering and wpa psk, clients which have just the PSK configured correctly are able to connect even though they are NOT in the mac filter list. Is this expected behaviour ? I am expecting that the client should be able to join only if BOTH of the conditions are met (that is PSK as well as mac filtering). which one takes precendence or is checked for first ? i think its PSK when PSK is configured. </P><P></P><P>regards</P><P>Joe</P></BODY></HTML> Sun, 27 Jan 2013 15:11:07 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125317#M25157 wireless wlc 2013-01-27T15:11:07Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125318#M25158 <HTML><HEAD></HEAD><BODY><P>That's not expected behavior. Are you sure you selected max filter under the WLAN ?<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 27 Jan 2013 15:47:00 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125318#M25158 George Stefanick 2013-01-27T15:47:00Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125319#M25159 <HTML><HEAD></HEAD><BODY><P>Nah... You have it configured wrong like George mentioned. It's both or none at all.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Sun, 27 Jan 2013 16:06:33 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125319#M25159 Scott Fella 2013-01-27T16:06:33Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125320#M25160 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>&nbsp; Then it might be a bug in 7.2.110? I have a customer configured for both and clients who just have WPA PSK only configured are also able to connect to the SSID with mac filtering + WPA PSK enabled. clients with both WPA PSK AND mac filtering are also able to connect. </P><P></P><P>Joe</P></BODY></HTML> Sun, 27 Jan 2013 20:28:56 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125320#M25160 wireless wlc 2013-01-27T20:28:56Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125321#M25161 <HTML><HEAD></HEAD><BODY><P>Can you take a screen of your configuration page on this?&nbsp; I'll lab this tomorrow... curious.&nbsp; Where are you setting the mac list at, locally on the wlc or a radius server?</P></BODY></HTML> Mon, 28 Jan 2013 02:20:42 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125321#M25161 raun.williams 2013-01-28T02:20:42Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125322#M25162 <HTML><HEAD></HEAD><BODY><P>I dont have the screenshots with me. The problem is not there once they remove the WLAN and recreate it. But only strange thing is , some clients show up in the monitor&gt;clients list in WLC even though they have only the WPA-PSK configured and NOT in the mac filter list. These clients dont get an IP and not able to communicate though. Maybe its a minor bug, but works as expected.&nbsp; Thanks.</P><P></P><P>regards</P><P>Joe</P></BODY></HTML> Wed, 06 Feb 2013 06:00:09 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125322#M25162 wireless wlc 2013-02-06T06:00:09Z https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125323#M25163 <HTML><HEAD></HEAD><BODY><P>On 7.2.110.0 I had seen where a client can move from a PSK or other WLAN where they have "authenticated" properly to a MAC Filter WLAN and are allowed access without being in the MAC filter list.&nbsp; This behavior was duped to </P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=" rel="nofollow">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=</A><A href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=CSCub00341" rel="nofollow" target="_blank">CSCub00341</A>&amp;from=summary</P><P></P><P>It states this is related to NAC, however my original bug submission regarding moving to a MAC Filter WLAN after previously authenticating on another WLAN was duped to this.</P><P></P><P>A "workaround" is to disable Fast SSID change</P><P></P><P>This shows fixed in <SPAN style="font-size: 10pt;">7.3(1.73) / </SPAN><SPAN style="font-size: 10pt;">7.4(100.0)</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">I didn't test this scenario with using "both" MAC Filter and PSK, but as George/Scott have said, you "must" do both, one or the other, or neither to authenticate to the WLAN, however it's possible they have already authenticated to another WLAN and simply "moved" to this WLAN and were authenticated even if they aren't in the MAC Filter list.</SPAN></P><P></P><P>It could be some variation of this behavior above.</P></BODY></HTML> Wed, 06 Feb 2013 15:15:36 GMT https://community.cisco.com/t5/wireless/using-both-wpa2-and-mac-filtering/m-p/2125323#M25163 David Watkins 2013-02-06T15:15:36Z