Solved: MAC address in catalyst controller

manvik · ‎08-05-2024

I dont see any option 9800 catalyst controller for MAC address filtering in an SSID. The method mentioned in this link not working, while select the auth list in SSID settings list does not shows up.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213922-configure-mac-authentication-ssid-on-cis.html

MHM Cisco World · ‎08-06-2024

There is mac filter and mac filter with wpa

For your case check below

https://0x2142.com/how-to-catalyst-9800-mac-filtering/

MHM

View solution in original post

Mark Elsen · ‎08-06-2024

- You may want to revert to configuring trough the CLI (only) , if applicable and possible
+ What software version is the 9800 controller using ?

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

manvik · ‎08-06-2024

software version 17.3.4c

Mark Elsen · ‎08-06-2024

- The software version is old and EOL , consider 17.12.3

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

manvik · ‎08-06-2024

I have upgraded version to 17.12.4 what i don't understand is how "Authorization Method" (Security > AAA > AAA Method list > Authorization) and "Device Authentication" (Security > AAA > > AAA Advanced >> Device authentication) is related.
Also there's no menu Configuration > Wireless > WLANs > + Add . It's Tag&Profiles > WLAN

MHM Cisco World · ‎08-06-2024

Edit wlan> secuirty > l2 secuirty

There is mac filter options

MHM

manvik · ‎08-06-2024

1. created WLAN and choose Mac filtering in Layer 2 security and choose Authorization list.

2. Only option available in Authorization list is below

3. Where to configure MAC address now?
4. Below is the only place i saw to add MAC address, there's an option to select the SSID. Now how does Authorization list and this MAC address relate or connected?

Mark Elsen · ‎08-06-2024

- Note that any GUI changes are implemented in the running configuration ; this is a bit elaborate but what sometimes helps or can give insights is to look or take a difference between subsequent version of the running configuration on an external repository (when making changes with the GUI) then use the intended or viewed running configuration command manually with the CLI and or use ? for correct command completion info's, because in the end it could be a bug in the GUI ,

Appendix ; you can always evaluate the configuration of a 9800 controller with the CLI command
show tech wireless and feed the output from that into Wireless Config Analyzer
Note : use the full command as mentioned in green , WirelessAnalyzer does not work with the
output from a simple show tech

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

MHM Cisco World · ‎08-06-2024

What is secuirty you use ?

Wpa + mac filtering?

MHM

manvik · ‎08-06-2024

Yes. check here - https://community.cisco.com/t5/wireless/mac-address-in-catalyst-controller/m-p/5156398/highlight/true#M274177

MHM Cisco World · ‎08-06-2024

There is mac filter and mac filter with wpa

For your case check below

https://0x2142.com/how-to-catalyst-9800-mac-filtering/

MHM

Rich R · ‎08-06-2024

It definitely works.
As Marce suggested I highly recommend using CLI not GUI - it's less confusing and follow the doc step by step.
Since you apparently want to use local MAC authentication note that the MAC addresses are configured as "username" but it is very important to enter the MAC address as all lower case with no punctuation (no dots, dashes or colons) otherwise it will not match.

Using MAC addresses for security really is not advisable though. It's not secure (because it's very easy to spoof a MAC address) and with randomised MAC addresses will ultimately become almost impossible. With the latest version of iOS iPhones do not use hardware MAC even for networks which have Rotating MAC (the new name for Private MAC) disabled. The non-rotating MAC is still a Private MAC, different for every SSID.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

manvik · ‎08-30-2024

I could not find a proper step-by-step documentation other than this. Anyone trying to setup MAC address filter SSID in catalyst controller can try these steps;

https://0x2142.com/how-to-catalyst-9800-mac-filtering/

MHM Cisco World · ‎08-30-2024

I already share this link days ago

Maybe you missing it

MHM