Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
0
Replies

MAC filtering with ACS - causing a ton of authentication attempts

bechong
Cisco Employee
Cisco Employee

‎11-23-2013 02:23 PM - edited ‎07-04-2021 01:18 AM

Hi Experts,

We are doing MAC filtering on an open SSID (no layer 2 security).  There are currently about 1200 MAC addresses defined in the filter list but due to scalability reasons, we moved the list of MAC addresses to the ACS authentication server.

The problem is when RADIUS servers is enabled for this open SSID, not only do the authorized clients authenticate against the RADIUS server, but so do all the unauthorized clients, who are not part of the MAC filter list. Since it is an open SSID, anybody with a smart phone tries connecting. This generates, literally MILLIONS of authentication attempts to the ACS servers, with the resulting log files. Clients are authenticating 3 to 4 times each second, all day long.

An attempt was made to enable the client exclusion feature on the SSID, to put clients into a temporary exclusion state, so that they don't overwhelm the authentication servers.  However, we have been told that this mechanism doesn't work, due to some internal timers within the controller.

Is there any way we can perform the MAC-based authentication against our ACS servers, without overwhelming them with millions of unauthorized authentication attempts?

Thanks for any suggestions. Much appreciated.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card