Buy or Renew
Buy or Renew
This forum is no longer in read-only mode. See this post for updates
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
0
Helpful
2
Replies

WAP571 RADIUS Server MAC filtering Issue

VolkmarTheil48673
Level 1
Level 1

‎01-31-2021 10:24 AM

Hi Folks,

we run several non clustered WAP571 (latest firmware v1.1.0.3) in our company network. New company policy says to implement MAC filtering. As I don't want to create a seperate MAC-list in every WAP, I set up a FreeRadiusServer, tested it with Linux and Windows-Tools > Server OK.

 

The WAP configuration was made according to adin manual. But then the WAP571 devices did curious things:

On connect of a RADIUS-enabled-MAC client, radius server replied accept, and WAP device established connection. So far so good. I changed the MAC in RADIUS to "reject", but the WAP device did not ask the server again on next connect, and also established connection. I found out, the WAP device only asks the RADIUS server ONE TIME after boot for a certain MAC adress.

On connect of a RADIUS-not.enabled-MAC client, radius server replied reject, and WAP device did not establish connection. But after several tries of the client, WAP established connection anyway.

So this behaviour is not practical.

 

I replaced some WAP571 by WAP150 (also latest firmware v1.1.2.4), same config, and everything was fine. The WAP150 asks the RADIUS server each time a client tries to connect followed by the proper action of establishing or not establishing connection.

 

Conclusio: I really wasted a couple of days to find out, that WAP571 has a very buggy behaviour respective communication with a RADIUS Server.

 

Has anyone the same expierence?

Regards

Volkmar

0 Helpful
2 Replies 2

Martin Aleksandrov
Cisco Employee
Cisco Employee

‎02-22-2021 05:54 AM

Can you do a packet capture and share the log?

 

Regards,

Martin

0 Helpful

VolkmarTheil48673
Level 1
Level 1
In response to Martin Aleksandrov

‎02-23-2021 02:32 AM

Hi Martin,

thank you for your answer. I cannot do a packet trace any more, cause in our office we changed from WAP571 to WAP150, as the "smaller" WAP satisfies our needs, although the GUI is much slower in comparison to 571. The 571 devices have been sold to one of our customers, as there the 571 work fine in a cluster w/o a radius server.

Best regards,

Volkmar

0 Helpful
Customers Also Viewed These Support Documents