Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
2
Helpful
6
Replies

MAC auth with WPA for specific SSIDs

3dmaxer
Level 1
Level 1

‎11-17-2023 03:28 PM

I have two SSIDs AP1 and AP2 both of which leverage MAC authentication device list defined under AAA Advanced, Device Authentication.  I have defined the Attribute List Name and WLAN profiles specific to each MAC in an attempt to limit the SSID that the device can connect to.

One SSID (AP1) gets the user further authenticated using Windows NPS, while the other (AP2) relies on a static password using WPA all within the Cisco EWC.

My issue is that I want to prevent someone that is already defined in the MAC list and knows the static password from jumping onto AP2.  What am I missing with the configuration that is not stopping this from occurring?

Labels:
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎11-17-2023 03:41 PM

What wlc you have? 

0 Helpful

3dmaxer
Level 1
Level 1
In response to MHM Cisco World

‎11-17-2023 05:17 PM

I'm using C9115 APs and running them using the Embedded Wireless Controller implementation version 17.9.4.

0 Helpful

marce1000
VIP
VIP

‎11-17-2023 10:29 PM

 

 - Jumping or roaming can never be prevented , you can only have WLANs with SSID's each having there (own) authentication schemes (if needed)  , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Haydn Andrews
VIP Alumni
VIP Alumni

‎11-19-2023 01:44 PM

You could look at iPSK and have the AAA server auth policy have the SSID in it.

That way you could say if connecting to SSID AP1 and part of endpoint group containing device MAC then return PSK, if not then return access deny.
Same for the other SSID

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

3dmaxer
Level 1
Level 1
In response to Haydn Andrews

‎11-19-2023 05:33 PM

Hi Haydn,

I was hoping I could have the Cisco Wireless Controller check the MAC to the SSID against something like the Attribute List Name and stop people at that point before they get an IP assigned.

Do you know if I can define the devices MAC address as a user and for the password use some static password instead of having to use the MAC for password?
0 Helpful

JPavonM
VIP
VIP

‎11-19-2023 10:54 PM

Yes you can define an allowlist for MAC Auth on the PSK SSID to prevent non-legitimate devices from connecting to it, but this could be spoofed for an user with access to free tools and hacking forums if they want to.

Using iPSK on the SSID would be the best way, but using MS NPS is hard to do as the part with MAC Auth relies on user accouint created on the DC. (https://community.meraki.com/t5/Wireless-LAN/iPSK-Configuration-with-Microsoft-NPS/m-p/100983/highlight/true#M14935)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card