Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4314
Views
15
Helpful
6
Replies

Cisco WLC: Bypass Mac Filter with wpa psk

ivan.martin
Level 1
Level 1

‎03-16-2012 03:44 PM - edited ‎07-03-2021 09:48 PM

Hello my name is Ivan

I have a WLC version 7.0.116.0 and 10 LAP registered in mode local. All of them are showing 4 SSID's. I need to work using to one SSID security in layer 2 with wpa psk +mac filter.

I already configure all the mac address in the interface of users (Different to Interface Management) and I enable the security mac filter in the wlan of users, but when one users of this wlan try to authenticate, the process by pass the mac filter and the user can authenticate without problems to the wlan.

When i look the context of the configuration i see the mac, ip adress description and the interface of users correctly. Morever in the wlan is mark with a check to enable the security mac.

I write on the wlc debug client (mac of client) and i can see his process of authentication pass without any problems.

Could you give me an advice to resolv this trouble.

Thanks

Regards

Ivan

Labels:
0 Helpful
6 Replies 6

Justin Kurynny
Level 4
Level 4

‎03-16-2012 04:41 PM

Ivan,

I tested it on my lab controller and it works. Two questions for you:

  • Are you putting your MAC addresses in the MAC Filtering list?

  • Are you configuring your WLAN for MAC Filtering as indicated in the below screenshot?

Justin

0 Helpful

ivan.martin
Level 1
Level 1
In response to Justin Kurynny

‎03-17-2012 06:58 AM

Hi Justin, thanks for your answer

That´s correct. I did it on my wlc. The users can authenticate in the wlan without any problems, but bypass the mac filter.

I understand that in mode hreap can not support mac filter, but all the access points are in  mode local.

Any advice? Perhaps an issue?

Regards

Ivan.

0 Helpful

Justin Kurynny
Level 4
Level 4
In response to ivan.martin

‎03-18-2012 11:51 AM

Ivan,

Reading more closely, I think maybe the controller is behaving normally.

You say that you add the client to the MAC filtering list and you turn on MAC filtering for your WLAN. Then you say the client is allowed to authenticate. Am I getting that correctly? If so, that is what MAC filtering does--it allows all MAC addresses in the MAC filtering list to authenticate, i.e., the MAC filtering list is an allow list.

If you want to reject specific clients, then you need to put their MAC address in the Disabled Clients list (Security tab).

Does this help, or is it possible that I am still misunderstanding your issue?

Justin

0 Helpful

ivan.martin
Level 1
Level 1
In response to Justin Kurynny

‎03-18-2012 06:17 PM

Hello Justyn

Thats correct, but when i see the logs of authentication to the user, i see that the wlc can not show the method of mac filter, for example

user A, method layer 2 wpa psk + mac filter, i only see wpa psk  nothing else,

Morever, when  a users that does'nt exist in the list of mac address try to authenticate in the wlan, this users pass wiithout any problems.

It tell me that the user by pass the mac filter process, and i think that the wlc does'nt work very well

Thanks for your answer

Ivan

0 Helpful

Justin Kurynny
Level 4
Level 4
In response to ivan.martin

‎03-18-2012 08:39 PM

Ivan,

Ok, that makes sense. So yes, as far as I know, the logs are not super helpful when it comes to MAC filtering pass/fail, but you will find generic messages related to MAC filter events. Filtering for MAC is a layer 2 association-level event, so if a client does not pass, you will see an SNMP log message like:

Sun Mar 18 20:23:52 2012          Client Association Failure: MACAddress: Base Radio MAC: Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1

If they pass, then you will see:

Sun Mar 18 20:29:05 2012          Client Association: Client MAC: Base Radio MAC : Slot: 0 User Name:unknown IP Addr: unknown

If you are not seeing these messages, make sure you have SNMP trap controls turned on for Client association and association failure events:

I have done some more testing today and I am not running into the issues that you are seeing. In my setup, named clients can associate and unlisted clients are failing to associate. At this point I would recommend that you try upgrading your code to 7.0.220.0 or higher. My testing was done on 7.0.220.0.

Justin

Justin Kurynny
Level 4
Level 4
In response to ivan.martin

‎04-04-2012 03:42 PM

Ivan,

Did you figure out the issue?

I discovered a command today that will allow you to show if MAC filtering is globally enabled on the WLC.

Try running this command on the CLI:

(wlc) >show advanced macfiltering

Authentication................................... enabled

Skip RADIUS (query only the local db)............ disabled

You can turn it on or off with

(wlc) >config advanced macfiltering ...

Maybe your configuration is different than above somehow?

Justin

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card