cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1781
Views
5
Helpful
8
Replies

C9800 Mac Filtering

JAMT
Beginner
Beginner

Hi, can someone help me with the mac filtering concern. We have C9800 and broadcasting a multiple SSIDs and those SSIDs are using same authentication MacAuth. However when I add the client mac address and point to certain SSID, device is also able to connect with other SSID using Mac Filtering which is different WLAN Profile. How I can allow the device to only connect on specific SSID that is defined.  TIA

8 REPLIES 8

marce1000
VIP Mentor VIP Mentor
VIP Mentor

 

        - Take care of this mac address formatting notice as denoted by this bug :

                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870

 M.

Thank you for providing this information I'll look into it.

Arshad Safrulla
VIP Advocate VIP Advocate
VIP Advocate

I hope that you followed the below guide for MAC filtering.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html

 

I can confirm that the process mentioned in the above guide is correct and working with many WLC's I manage. But I use different Authorization lists (list per WLAN). 

______________
Arshad Safrulla

Yes i followed the procedure but I don't have radius server and only used WLC mac address database. Also, I did the same thing I used different authorization list per WLAN but devices can still connect to different SSID.

JPavonM
Rising star
Rising star

Are you applying your different MAC Auth lists to every SSID like the below?

With such example your Device1 with MAC aaaa.bbbb.cccc can only connect to SSID1.

Additionally, there is no need for external/internal RADIUS sserver with this low security method using MAB.

wlan WlanProfile1 101 SSID#1
 mac-filtering <YourMacList1>
 no security wpa akm dot1x
security wpa akm psk
!
wlan WlanProfile2 102 SSID#2
 mac-filtering <YourMacList2>
 no security wpa akm dot1x
 security wpa akm ft psk
!
username aaaabbbbcccc mac aaa attribute list <YourMacList1>
username 000011112222 mac aaa attribute list <YourMacList2>

  HTH
-Jesus
*** Please rate helpful responses ***

Yes, same with the sample config. Below is the current config of WLC for Mac Filtering, the mac address 5c8730c25a7d can connect to HL_EMP1 SSID even though it only defined for HL_EMP.

 

wlan HL_EMP 1 HL_EMP
mac-filtering EMP_MAC_AUTH
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
no shutdown

wlan HL_EMP1 2 HL_BOP
mac-filtering HL_BOP_MAC_AUTH
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
no shutdown

username 5c8730c25a7d mac aaa attribute list HL_EMP wlan-profile-name HL_EMP
username 980d51643661 mac aaa attribute list HL_EMP1 wlan-profile-name HL_EMP1

!
aaa attribute list HL_EMP
attribute type ssid "HL_EMP"
!
aaa attribute list HL_EMP1
attribute type ssid "HL_BOP"

aaa authorization network EMP_MAC_AUTH local
aaa authorization network HL_BOP_MAC_AUTH local

May I know if have something I missed with the configuration. 

Hi @JAMT have you found a workaround for this issue? I'm facing the same problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: