ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
Showing results for 
Search instead for 
Did you mean: 

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.
Get the latest news in this issue of the Cisco Small Business Monthly Newsletter


AP541N firmware 1.9.2 mac filtering bug ?


I am currently deploying some AP541N and I just discovered what seams to be a security bug.

The AP541N version :

Product Identifier:AP541N-E-K9
Hardware Version:V01
Software Version:AP541N-K9-1.9(2)

I have programmed a SSID with WPA Enterprise standard settings and Mac filtering using the radius server.

VAPEnabledVLAN IDSSIDBroadcast SSIDSecurityMAC FilteringStation IsolationHTTP RedirectRedirect URLDelete
WPAVersions: WPAWPA2
Enable pre-authentication
Cipher Suites: TKIPCCMP (AES)
Use global RADIUS server settings
RADIUS IP Address:
RADIUS IP Address-1:
RADIUS IP Address-2:
RADIUS IP Address-3:
Enable RADIUS accounting
Active Server:
Broadcast Key Refresh Rate (Range: 0-86400)
Session Key Refresh Rate (Range: 0-86400)

The radius server is a freeradius linux server globaly configured and the client is a Macbook pro, but the problem is independent of the client and radius server.

The bug is that although the MAC address of my client fails on the radius server, the client is accepted on the AP.

The log on the radius server show the failed MAC auth and succeed WPA2 auth :

Wed Sep  1 17:44:21 2010 : Auth: Login incorrect: [60-33-4B-04-AE-84/NOPASSWORD] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

Wed Sep  1 17:44:22 2010 : Auth: Login OK: [arichard/<via Auth-Type = EAP>] (from client ap541n port 0 cli 60-33-4B-04-AE-84)

at the same time the AP shows a succeed :
Sep  1 17:44:22 hostapd: wlan0: IEEE 802.11 Assoc request from 60:33:4b:04:ae:84 BSSID 00:21:29:01:f9:90 SSID xxxx
Sep  1 17:44:22 hostapd: wlan0: IEEE 802.11 STA 60:33:4b:04:ae:84 associated with BSSID 00:21:29:01:f9:90
Sep  1 17:44:22 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: EAP authentication with the authentication server completed
Sep  1 17:44:23 hostapd: wlan0: STA 60:33:4b:04:ae:84 WPA: pairwise key exchange completed (WPAv2)
Sep  1 17:44:23 hostapd: The wireless client with MAC address 60:33:4b:04:ae:84 has been successfully authenticated.
Sep  1 17:44:23 hostapd: wlan0: STA 60:33:4b:04:ae:84 IEEE 802.1X: authenticated - identity 'arichard' EAP type: 25 (PEAP)

and then the client is able to access to the network and the MAC address authentification with the radius server is never retried for this client (I suppose because the AP has white listed the MAC address).

This is a serious security bug !

It is present on an older firmware versions ?


Everyone's tags (4)

Re: AP541N firmware 1.9.2 mac filtering bug ?

I have a partial solution. On the Wireless/Mac filtering page, the default setup is :

MAC Filtering
Filter Allow only stations in list
Block all stations in list
Stations List
MAC Address : : : : :

Click “Apply“ to save the new settings.

And surprise, altough this seams to be only for the Local list, the setup "Block all stations in list" will apply also for radius MAC checks !!!!

So setting this field to "Allow only stations in list" and then rebooting the AP have partially solve the problem :

A station MAC is checked with the radius server once, and then the station is blocked if the check was unsuccessfull and unblocked if the check was successfull.

But their is still a problem : after the initial radius check, the station is NEVER rechecked with the radius server, so the station is BLOCKED and is never ublocked, even if you add it to the radius server at a later time. The only solution I have found is to reboot the AP.

This is a very serious problem because generally stations are seen by the various AP before their MAC is entered into the radius server. And having to reboot all the AP of a site in order to get one station to be recognized is not an option !!!