cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1447
Views
0
Helpful
8
Replies

Simple MAC access control question on 5508

ScottB2113
Level 1
Level 1

We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is impliment straight forward MAC filtering. The problem I am having is the controller allows either any WLAN or only one WLAN, and a interface setting. I need to have each MAC be able to access several WLAN's but not all of them. Can anyone point me to a artcle or give me a quick idea of what I can do.I have basic WLAN's configured and have MAC filtering generally working. I cannot just use a user authentication becasue each user may have 20-30 devices, but not all of these devices should be allowed on all WLAN's and I do not want to rely on the user.

Thank you

8 Replies 8

Saravanan Lakshmanan
Cisco Employee
Cisco Employee

wlc supports dot1x and users through internal database. same user credentials can be used for multiple users.

using mac filter is not suggested since it is spoofable.

yes, currently mac filter on wlc supports 'allow only' for specific or all wlans. this config could be mixed with interface config and using radius on wlc.

Thank you for the reply,

I understand a MAC is spoofable, I am only trying to manage a short term fix of limiting what networks a client can access for specific reasons.

I also believe that the mixure of ANY WLAN/ specific interface could somewhat do what I need however it does not appear that the interface has any affect. I just don't know if I am missing enabling it somewhere.

I cannot use a user credential becasue it is not about keeping USERS off certain networks it is about onlyt allowing certain clients on a network.

WLC onboard radius can't control specific users to access only specific WLANs like external AAA server. it could be available in the future.

using mac filter can't map a MAC address to two different WLANs, it has to be either any WLAN or one specific WLAN since WLC doesn't allow duplicate mac filter entry for same mac address on its global mac address database.

Mapping MAC address to 'any wlan' tied to a specific interface may still not help on condition where different interface used for different wlan where that client intend to connect/access because of above bottleneck.

'however it does not appear that the interface has any affect'.

//Do you mean the client connects and able to pass traffic though it is not mapped to that interface.

Thank you for the info. Most of what you say I though was the case. I did read that the interface is supposed to limit the traffic, not stop connecting but just stop the traffic. And some where I read this only works if AAA is enabled. However I cannot find anything more pointing to this. I know using the combination is not ideal but it would work for the interm. Your last question is correct, the client connects and can pass traffic (atleast ping). So for example SSID A is network 192.168.1.0/24 and is interface A, SSID B is 192.168.2.0/24 and is interface B. A routs to 10.10.10.0/24, b does not. It seems by the documentation that with WLAN set to ANY WLAN/Interface A that it should route. If it was changed to interface B it should not route. However it does.

Open a TAC case and refer this link to get an fix for this issue.

Looks like it is applicable only if AAA is configured for that WLAN.

interface_name

—The name of the interface. This interface name is used to override the interface configured to the WLAN.

Note You must have AAA enabled on the WLAN to override the interface name.

http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70wlan.html#wpmkr1222223

Eric Lindsey
Level 1
Level 1

We use ACS for this. We have groups on our ACS server and add the Mac addresses to the groups. Works great for us.

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: