10-28-2021 01:07 AM
Hi, can someone help me with the mac filtering concern. We have C9800 and broadcasting a multiple SSIDs and those SSIDs are using same authentication MacAuth. However when I add the client mac address and point to certain SSID, device is also able to connect with other SSID using Mac Filtering which is different WLAN Profile. How I can allow the device to only connect on specific SSID that is defined. TIA
10-28-2021 02:28 AM
- Take care of this mac address formatting notice as denoted by this bug :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870
M.
10-28-2021 09:04 PM
Thank you for providing this information I'll look into it.
10-28-2021 03:10 AM
I hope that you followed the below guide for MAC filtering.
I can confirm that the process mentioned in the above guide is correct and working with many WLC's I manage. But I use different Authorization lists (list per WLAN).
10-28-2021 09:02 PM
Yes i followed the procedure but I don't have radius server and only used WLC mac address database. Also, I did the same thing I used different authorization list per WLAN but devices can still connect to different SSID.
10-28-2021 10:47 PM
Are you applying your different MAC Auth lists to every SSID like the below?
With such example your Device1 with MAC aaaa.bbbb.cccc can only connect to SSID1.
Additionally, there is no need for external/internal RADIUS sserver with this low security method using MAB.
wlan WlanProfile1 101 SSID#1
mac-filtering <YourMacList1>
no security wpa akm dot1x
security wpa akm psk
!
wlan WlanProfile2 102 SSID#2
mac-filtering <YourMacList2>
no security wpa akm dot1x
security wpa akm ft psk
!
username aaaabbbbcccc mac aaa attribute list <YourMacList1>
username 000011112222 mac aaa attribute list <YourMacList2>
HTH
-Jesus
*** Please rate helpful responses ***
11-01-2021 06:27 PM
Yes, same with the sample config. Below is the current config of WLC for Mac Filtering, the mac address 5c8730c25a7d can connect to HL_EMP1 SSID even though it only defined for HL_EMP.
wlan HL_EMP 1 HL_EMP
mac-filtering EMP_MAC_AUTH
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
no shutdown
wlan HL_EMP1 2 HL_BOP
mac-filtering HL_BOP_MAC_AUTH
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
no shutdown
username 5c8730c25a7d mac aaa attribute list HL_EMP wlan-profile-name HL_EMP
username 980d51643661 mac aaa attribute list HL_EMP1 wlan-profile-name HL_EMP1
!
aaa attribute list HL_EMP
attribute type ssid "HL_EMP"
!
aaa attribute list HL_EMP1
attribute type ssid "HL_BOP"
aaa authorization network EMP_MAC_AUTH local
aaa authorization network HL_BOP_MAC_AUTH local
11-01-2021 07:38 PM
May I know if have something I missed with the configuration.
06-03-2022 02:17 PM
Hi @JAMT have you found a workaround for this issue? I'm facing the same problem.
10-05-2022 07:37 PM - edited 10-05-2022 07:39 PM
Config allow AAA-Override option in the your policy profile (Tag & Policy) config will solve this issue.
"If you want the client to connect to SSID1, but not to SSID2 using mac-filtering, ensure that you configure aaa-override in the policy profile"
10-10-2022 03:06 AM
Thank you. After AA-Override was enabled, I could control the connection of SSID through Attribute List, but I found that I could not connect to any SSID after adding two SSIDs to Attribute List and referencing them.
May I ask how to set if I have three SSIDs for mac address authentication but I need this MAC address to connect two SSIDs?
10-06-2022 01:29 AM - edited 11-23-2022 11:16 PM
I hope that you followed the below guide for MAC filtering.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide