Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5645
Views
10
Helpful
2
Replies

MAC address format within Radius authentication from WLC

Go to solution
danhosking
Level 1
Level 1

‎01-16-2011 09:01 PM - edited ‎07-03-2021 07:40 PM

I have a client that is binding their DHCP IP addresses to MAC addresses for each user for security reasons. They have an existing Autonomous environment and are in the process of replacing it with a lightweight solution. On the Microsoft 2003 Radius server they have the Verify Caller-ID field enabled with the string of the MAC address for each user. The issue is the format of the MAC address sent by the client machine is in a different format when it authenticates using the Wireless LAN Controller to when it uses the autonomous system.

See the comparison of the two below -

A lightweight authentication attempt error message from the MS 2003  radius server-

Called-Station-Identifier = 04-fe-7f-48-c9-20:employee

Calling-Station-Identifier = c8-bc-c8-43-73-c1

Reason-Code = 67

Reason = The user attempted to connect through either a phone number or calling station that does not match the Caller ID listed for the user account.

An Autonomous attempt that passes -

Calling-Station-Identifier = c8bc.c843.73c1

Because of this the client authentication fails. Is there a way to change the MAC format sent by the WLCs? Or to have multiple  strings in the caller ID field to support the different MAC formats per user in the Microsoft Radius Server?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎01-16-2011 11:21 PM

If it's mac filtering you are doing on the WLC, then you can select the format. WLC web page-> Security->Mac filtering-> Delimiter : colon,hyphen, no delimiter, ...

If your radius server does the verification on a normal authentication (dot1x) from the clients then I'm not aware of any possibility to change this format. I'd then suggest you to look into doing the verification over mac filtering :-)

View solution in original post

2 Replies 2

Go to solution
Nicolas Darchis
Cisco Employee
Cisco Employee

‎01-16-2011 11:21 PM

If it's mac filtering you are doing on the WLC, then you can select the format. WLC web page-> Security->Mac filtering-> Delimiter : colon,hyphen, no delimiter, ...

If your radius server does the verification on a normal authentication (dot1x) from the clients then I'm not aware of any possibility to change this format. I'd then suggest you to look into doing the verification over mac filtering :-)

Go to solution
danhosking
Level 1
Level 1
In response to Nicolas Darchis

‎01-17-2011 04:27 PM

Thanks for the reply. I looked into those suggestions but It seems to be a limitation on the Windows side of things.  I will have to work with the client to find another way to achieve what they want.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card