Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7826
Views
10
Helpful
11
Replies

C9800 Mac Filtering

JAMT
Level 1
Level 1

‎10-28-2021 01:07 AM

Hi, can someone help me with the mac filtering concern. We have C9800 and broadcasting a multiple SSIDs and those SSIDs are using same authentication MacAuth. However when I add the client mac address and point to certain SSID, device is also able to connect with other SSID using Mac Filtering which is different WLAN Profile. How I can allow the device to only connect on specific SSID that is defined.  TIA

4 people had this problem
Labels:
0 Helpful
11 Replies 11

marce1000
VIP
VIP

‎10-28-2021 02:28 AM

 

        - Take care of this mac address formatting notice as denoted by this bug :

                 https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvv43870

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

JAMT
Level 1
Level 1
In response to marce1000

‎10-28-2021 09:04 PM

Thank you for providing this information I'll look into it.

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-28-2021 03:10 AM

I hope that you followed the below guide for MAC filtering.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html

 

I can confirm that the process mentioned in the above guide is correct and working with many WLC's I manage. But I use different Authorization lists (list per WLAN). 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

JAMT
Level 1
Level 1
In response to Arshad Safrulla

‎10-28-2021 09:02 PM

Yes i followed the procedure but I don't have radius server and only used WLC mac address database. Also, I did the same thing I used different authorization list per WLAN but devices can still connect to different SSID.

0 Helpful

JPavonM
VIP
VIP

‎10-28-2021 10:47 PM

Are you applying your different MAC Auth lists to every SSID like the below?

With such example your Device1 with MAC aaaa.bbbb.cccc can only connect to SSID1.

Additionally, there is no need for external/internal RADIUS sserver with this low security method using MAB.

wlan WlanProfile1 101 SSID#1
 mac-filtering <YourMacList1>
 no security wpa akm dot1x
 security wpa akm psk
!
wlan WlanProfile2 102 SSID#2
 mac-filtering <YourMacList2>
 no security wpa akm dot1x
 security wpa akm ft psk
!
username aaaabbbbcccc mac aaa attribute list <YourMacList1>
username 000011112222 mac aaa attribute list <YourMacList2>

  HTH
-Jesus
*** Please rate helpful responses ***

JAMT
Level 1
Level 1
In response to JPavonM

‎11-01-2021 06:27 PM

Yes, same with the sample config. Below is the current config of WLC for Mac Filtering, the mac address 5c8730c25a7d can connect to HL_EMP1 SSID even though it only defined for HL_EMP.

 

wlan HL_EMP 1 HL_EMP
mac-filtering EMP_MAC_AUTH
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
no shutdown

wlan HL_EMP1 2 HL_BOP
mac-filtering HL_BOP_MAC_AUTH
no security ft adaptive
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
no shutdown

username 5c8730c25a7d mac aaa attribute list HL_EMP wlan-profile-name HL_EMP
username 980d51643661 mac aaa attribute list HL_EMP1 wlan-profile-name HL_EMP1

!
aaa attribute list HL_EMP
attribute type ssid "HL_EMP"
!
aaa attribute list HL_EMP1
attribute type ssid "HL_BOP"

aaa authorization network EMP_MAC_AUTH local
aaa authorization network HL_BOP_MAC_AUTH local

0 Helpful

JAMT
Level 1
Level 1
In response to JAMT

‎11-01-2021 07:38 PM

May I know if have something I missed with the configuration. 

0 Helpful

JohanGonzalez4730
Level 1
Level 1

‎06-03-2022 02:17 PM

Hi @JAMT have you found a workaround for this issue? I'm facing the same problem.

0 Helpful

CloudStrife
Level 1
Level 1
In response to JohanGonzalez4730

‎10-05-2022 07:37 PM - edited ‎10-05-2022 07:39 PM

Config allow AAA-Override option in the your policy profile (Tag & Policy) config will solve this issue.

"If you want the client to connect to SSID1, but not to SSID2 using mac-filtering, ensure that you configure aaa-override in the policy profile"

Lemon.chen
Level 1
Level 1
In response to CloudStrife

‎10-10-2022 03:06 AM

Thank you. After AA-Override was enabled, I could control the connection of SSID through Attribute List, but I found that I could not connect to any SSID after adding two SSIDs to Attribute List and referencing them.

Lemonchen_0-1665396349484.png

 

May I ask how to set if I have three SSIDs for mac address authentication but I need this MAC address to connect two SSIDs?

0 Helpful

alisha_rascon01
Level 1
Level 1

‎10-06-2022 01:29 AM - edited ‎11-23-2022 11:16 PM

I hope that you followed the below guide for MAC filtering.

Troubleshoot Catalyst 9800 Wireless Controllers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card