Re: Mac address filtering for WLAN on 9800

mumbles202 · ‎01-27-2023

Working on getting a 9800 WLC HA cluster using RP configured for Mac address filtering for 1 of the SSIDs but having an issue getting devices to join. Doing local authentication on the WLC so no ISE configuration required. I believe it's all configured correctly but not able to get devices to join. The error message in the logs is the following:

Jan 27 16:57:25.892: %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (8ebb.cf44.ee33) on Interface capwap_90000006 AuditSessionID F0280A0A00. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

Here's the relevant configuration for this WLAN if anyone can spot the error:

aaa new-model

aaa authorization network MAB_LOCAL_AUTH_MAC_SSID2 local 

aaa attribute list ATTR_LIST_MAC_SSID
 attribute type ssid "MAC_SSID"
 
 
 
wireless profile policy POL_PROF_2
 aaa-override
 description "Policy profile for MAC_SSID"
 dhcp-tlv-caching
 no exclusionlist
 exclusionlist timeout 0
 ipv4 flow monitor wireless-avc-basic input
 ipv4 flow monitor wireless-avc-basic output
 service-policy client input AUTOQOS-AVC-PROFILE
 service-policy client output AUTOQOS-AVC-PROFILE
 service-policy input platinum-up
 service-policy output platinum
 session-timeout 86400
 vlan 40
 no shutdown
 
wireless tag policy default-policy-tag
 description "default policy-tag"
 wlan MAC_SSID policy POL_PROF_2
 wlan Guest_Wireless policy POL_PROF_3
 wlan Staff_Wireless policy POL_PROF_1
 
 
wlan MAC_SSID 2 MAC_SSID2
 no broadcast-ssid
 no chd
 mac-filtering MAB_LOCAL_AUTH_MAC_SSID2
 security ft
 security wpa psk set-key ascii 0 MyNet893#*
 no security wpa akm dot1x
 security wpa akm psk
 security wpa akm sae
 security wpa wpa3
 security pmf optional
 no shutdown
 
username 0e23ae4b2fb0 mac aaa attribute list ATTR_LIST_MAC_SSID description "Test iPhone"
username 8ebbcf44ee33 mac aaa attribute list ATTR_LIST_MAC_SSID description "Steve Laptop"

marce1000 · ‎01-27-2023

>....Authc failure reason: AAA Server Down.
- Looks like the AAA server(s) may not be reachable from the controller (try a ping from the controller), also have a checkup of the 9800 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

mumbles202 · ‎01-28-2023

Thanks for the reply. The aaa server would be the WLC itself in this case since I'm just doing mac address filtering w/ a local list correct? Do I need to enable any settings on the controller in order for it to respond or act as a aaa server?

I'll try to get the "show tech wireless" and analyze it.

marce1000 · ‎01-28-2023

>....I'll try to get the "show tech wireless" (procedure) and analyze it.
Consider that as being a priority item and or to-do-first ,

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

licajulcisco · ‎02-14-2024

Hi , did you find a way to make it work , can you please share the solution?

MHM Cisco World · ‎02-14-2024

Add new wlan with open auth

Then make wifi client with issue join this new ssid' check the mac

There are some device use randomize MAC not same mac abd this make use mac filter impossible.

MHM

Rich R · ‎02-21-2024

@licajulcisco
The most common mistake people make with this config is not following the config guidelines correctly.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_mab_auth_bypass.html#id_50562
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html#toc-hId-2036295870

"The mac-address must be in the following format: abcdabcdabcd"

The MAC address username must be entered in lower case, no punctuation or separators.
If you do not do this correctly, it will not work, it will not match the client MAC address.
Make sure you've followed all the steps correctly in the config guide.

And as always - why are you trying to filter MAC addresses?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs