06-17-2024 11:44 AM
Hello,
We are using 3 Aironet 1852i APs running 8.10.185 configured as ME Capable and hosting 2 WLANs (PROD & OTHER) tagged to 2 different VLANs. I'm trying to setup MAC filtering on the OTHER network so none of the internal laptops connect to it by accident (or user error). From the Mobility Express portal I've enabled MAC filtering on the OTHER WLAN and entered the MAC addresses in the WLAN Users / Local MAC Addresses tab. For each MAC address, I selected type BlackList. The internal laptops are blocked so it seems to be working but so all other devices that are not specifically entered in the WLAN Users list with type set to WhiteList. I don't want to have to allow each other device individually. How may I setup MAC filtering on the OTHER WLAN to behave like a "Allow all except X,Y,Z"?
Thank you for your time and comments
06-20-2024 10:27 AM
MAC address filtering really isn't a great way to enforce security at all - not least because any device can change MAC address to bypass the filters. I suspect what you want to do isn't possible on ME that way (although I've never tried it myself).
You could possibly do it using 802.1x with ISE but if you were going to do that then you could do it by user or machine ID instead of MAC address and then use VLAN override to make sure the right users land in the right VLAN.
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html
https://community.cisco.com/t5/network-access-control/cisco-wlc-mac-filtering-integration-with-ise-and-802-1x/td-p/4463150
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide