MAC filtering with ACS - causing a ton of authentication attempts
We are doing MAC filtering on an open SSID (no layer 2 security). There are currently about 1200 MAC addresses defined in the filter list but due to scalability reasons, we moved the list of MAC addresses to the ACS authentication server.
The problem is when RADIUS servers is enabled for this open SSID, not only do the authorized clients authenticate against the RADIUS server, but so do all the unauthorized clients, who are not part of the MAC filter list. Since it is an open SSID, anybody with a smart phone tries connecting. This generates, literally MILLIONS of authentication attempts to the ACS servers, with the resulting log files. Clients are authenticating 3 to 4 times each second, all day long.
An attempt was made to enable the client exclusion feature on the SSID, to put clients into a temporary exclusion state, so that they don't overwhelm the authentication servers. However, we have been told that this mechanism doesn't work, due to some internal timers within the controller.
Is there any way we can perform the MAC-based authentication against our ACS servers, without overwhelming them with millions of unauthorized authentication attempts?
After adding a WLC to ISE if you get the following error (See message below) after running debug aaa tacacs enable in the WLC. Incorrectly formatted authorization message Here's what you need to do to fix it. Login to ISE Work centers, Settings, Device ad...
Community Live- Understanding How Multicast Works with Cisco Wireless LAN Controllers
(Live event - formerly known as Webcast- Tuesday November 19, 2019 at 9 am Pacific/ 12 pm Eastern / 6 pm Paris)
This event will have place on Tuesday 19th, Novembe...
Where to download
Attached files on this post
Alternatively, cloud version (only summaries)
New implementation for the WLC Config Analyzer. it is a new re-write of the application, with clean up and improved checks
Support for IOS...
New Version for the Wireless Lan Config Analyzer: v.4.4.14
Supports AireOS up to 8.8, any model.
Error parsing AP list with location with spaces
For tool information: