Re: MAC Address Filter Limitation on WLC4402

Steven van Jaarsveld · ‎10-19-2009

Hi All

I have been asked to configure MAC Address authentication on a WLC4402 without the use of a RADIUS Server or Cisco ACS. I remember that an autonomous AP has a limit of 20 MAC Addresses in the local list.

Does anyone know if this limitation is still applied in the WLC4400 local list? I have seen that you can configure a maximum of 2048 entries in the local WLC database but does this include the MAC Address local list?

Any help is apprecited.

Thanks

Steven

Jatin Katyal · ‎10-23-2009

Hi Steven,

Well, I went through this setup numerous times so I thought helping you out.

======================================================

STEPS TO CONFIGURE MAC AUTHENTICATION with WLC/AP/ACS:

======================================================

1] On the WLC Web GUI:

Security>RADIUS authentication>New>

2] Add ACS server IP, ASCII Shared secret, port number and check the boxes for network user, management, IPSEC if used for AAA authentication

3] On the ACS server: Network Configuration>Add entry>

4] Add WLC hostname, IP address and matching shared key, for authenticate using select RADIUS Cisco Aironet or Cisco Airespace if using ACS 4.0/4.2

To configure the WLC so AP's authenticate against ACS:

5] On the WLC:

Security>AP Policies>Select the checkbox for Authorize APs against AAA

6] On the ACS server:

Create an account for the client, based on its MAC address. For example, if the MAC address of the client is 00-15-C5-3A-E4-0D

Username : 0015c53ae40d

Password : 0015c53ae40d

Add a user account for the MAC address of the AP with no dots or dashes, the password will also be the MAC address of the AP with no dots or dashes.

STEPS TO CONFIGURE USER WITH MACHINE AUTHENTICATION:

With ACS, I would like to know what EAP flavor are you using along with MAC authentication.

You may go through the following link as per your requirement, I understand that reviewing link is not less than any pain but this is something we have very precise for you.

LEAP/MAC Authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a

00805e7a13.shtml

Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0ea.shtml

Cisco Secure ACS for Windows v3.2 With EAP-TLS Machine Authentication

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00801df0e4.shtml

On the windows xp sp 2 clients we can force machine , user or both the authentication by registry tweak.

HTH

JK

Plz rate helpful posts-

~Jatin

Robert.N.Barrett_2 · ‎10-23-2009

Steven,

I looked in the 4.2 references and really can't find anything that specifies how a MAC filter entry is treated. However, in the 6.0 command reference, the "show database" command definitely indicates that a MAC filter entry is a part of the local user database:

> show database summary

Maximum Database Entries......................... 2048

Maximum Database Entries On Next Reboot.......... 2048

Database Contents

MAC Filter Entries........................... 2

Exclusion List Entries....................... 0

AP Authorization List Entries................ 1

Management Users............................. 1

Local Network Users.......................... 1

Local Users.............................. 1

Guest Users.............................. 0

Total..................................... 5

dmuralis · ‎10-30-2009

Yes, mac filters are part of the controller database, which is either 512,1024 or 2048. The database however, as you can see in Roberts's response contains guest users, excluded clients, local management users, AP certificates.

dmuralis · ‎10-30-2009

And yes, that limitation applies to all available versions of controller code.