Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1357
Views
2
Helpful
6
Replies

Can i use Mac filtering option on Cisco WLC

Noovi
Level 1
Level 1

‎05-10-2023 05:14 AM

Hello Guys,

Currently in my network setup we have one SSID which is with [WPA2][Auth(802.1X)].

Can i enable MAC filtering on same SSID.

if yes, any impact on currently connected users? Any changes reqired on ISE end policy if MAC filterning enabled only at WLC end?

Labels:
0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎05-10-2023 05:37 AM

Hello,

 Which WLC do you have?

Yes you can use Do1x with Mac filter and yes there will be impact if you do not register all the valid mac address on the network.

This guide is for WLC 9800 but the ISE part must be the same.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html

 

Noovi
Level 1
Level 1
In response to Flavio Miranda

‎05-10-2023 05:44 AM

I am having 5520 WLC.

So are you saying , if i enable mac filtering on SSID with dot1X, so all connected users will impacted if their MAC address is not present on WLC?

My main question is, what is preference 

like, first it will prefer mac filtering, but all users mac should be present locally on WLC. Here user whose mac address is present on WLC will get permitted on network.

second, user whose MAC is not preset on WLC, will go for dot1x in ISE for authentication, it that true or MAC addresses of dot1X users also should be present on WLC?

0 Helpful

Flavio Miranda
VIP
VIP
In response to Noovi

‎05-10-2023 05:59 AM - edited ‎05-10-2023 05:59 AM

You are implying that the users on the WLC will be permitted by default because they are connected on the WLC ? They dont.

 You need to add them in "SECURITY" > "MAC Filtrering"> "New" 

 There is no IF /ELSE logic as far as I know.  My experience is that if you check the option "Mac Filter" on the WLAN, you better have all your clients properly registered on the Mac Filtering database.

 I used to manage an infra with Mac Filter checked and it was a pain in the ass. All the time new mac address coming and I need to add or users going and I had to remove from the databse.

0 Helpful

Noovi
Level 1
Level 1
In response to Flavio Miranda

‎05-10-2023 06:05 AM

Thanks Flavio.

that means better we can do modifications in ISE to check certificate or MAC endpoint whitelisting.

so that it will not require to add all connected user mac address 

0 Helpful

Flavio Miranda
VIP
VIP
In response to Noovi

‎05-10-2023 06:23 AM

that´s correct.

0 Helpful

marce1000
Hall of Fame
Hall of Fame

‎05-10-2023 05:42 AM

 

 - FYI : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card