01-27-2023 10:55 AM
Working on getting a 9800 WLC HA cluster using RP configured for Mac address filtering for 1 of the SSIDs but having an issue getting devices to join. Doing local authentication on the WLC so no ISE configuration required. I believe it's all configured correctly but not able to get devices to join. The error message in the logs is the following:
Jan 27 16:57:25.892: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (8ebb.cf44.ee33) on Interface capwap_90000006 AuditSessionID F0280A0A00. Failure reason: Authc fail. Authc failure reason: AAA Server Down.
Here's the relevant configuration for this WLAN if anyone can spot the error:
aaa new-model
aaa authorization network MAB_LOCAL_AUTH_MAC_SSID2 local
aaa attribute list ATTR_LIST_MAC_SSID
attribute type ssid "MAC_SSID"
wireless profile policy POL_PROF_2
aaa-override
description "Policy profile for MAC_SSID"
dhcp-tlv-caching
no exclusionlist
exclusionlist timeout 0
ipv4 flow monitor wireless-avc-basic input
ipv4 flow monitor wireless-avc-basic output
service-policy client input AUTOQOS-AVC-PROFILE
service-policy client output AUTOQOS-AVC-PROFILE
service-policy input platinum-up
service-policy output platinum
session-timeout 86400
vlan 40
no shutdown
wireless tag policy default-policy-tag
description "default policy-tag"
wlan MAC_SSID policy POL_PROF_2
wlan Guest_Wireless policy POL_PROF_3
wlan Staff_Wireless policy POL_PROF_1
wlan MAC_SSID 2 MAC_SSID2
no broadcast-ssid
no chd
mac-filtering MAB_LOCAL_AUTH_MAC_SSID2
security ft
security wpa psk set-key ascii 0 MyNet893#*
no security wpa akm dot1x
security wpa akm psk
security wpa akm sae
security wpa wpa3
security pmf optional
no shutdown
username 0e23ae4b2fb0 mac aaa attribute list ATTR_LIST_MAC_SSID description "Test iPhone"
username 8ebbcf44ee33 mac aaa attribute list ATTR_LIST_MAC_SSID description "Steve Laptop"
01-27-2023 11:51 PM
>....Authc failure reason: AAA Server Down.
- Looks like the AAA server(s) may not be reachable from the controller (try a ping from the controller), also have a checkup of the 9800 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/
M.
01-28-2023 06:37 PM
Thanks for the reply. The aaa server would be the WLC itself in this case since I'm just doing mac address filtering w/ a local list correct? Do I need to enable any settings on the controller in order for it to respond or act as a aaa server?
I'll try to get the "show tech wireless" and analyze it.
01-28-2023 11:40 PM
>....I'll try to get the "show tech wireless" (procedure) and analyze it.
Consider that as being a priority item and or to-do-first ,
M.
02-14-2024 08:40 AM
Hi , did you find a way to make it work , can you please share the solution?
02-14-2024 09:34 AM
Add new wlan with open auth
Then make wifi client with issue join this new ssid' check the mac
There are some device use randomize MAC not same mac abd this make use mac filter impossible.
MHM
02-21-2024 09:53 AM
@licajulcisco
The most common mistake people make with this config is not following the config guidelines correctly.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_mab_auth_bypass.html#id_50562
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html#toc-hId-2036295870
"The mac-address must be in the following format: abcdabcdabcd"
The MAC address username must be entered in lower case, no punctuation or separators.
If you do not do this correctly, it will not work, it will not match the client MAC address.
Make sure you've followed all the steps correctly in the config guide.
And as always - why are you trying to filter MAC addresses?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide