This is clear I testes and the MAC Filtering is working. (just allowed MACs are able to connect)

The problem was that interface and WLAN filter "were not working", and this is what I'm going to test.

Thanks!

Let me know. It worked for me.

Sent from Cisco Technical Support iPhone App

Scott,

I was thinking about this and have one question:

You told that MAC Filtering needs to be enabled on all WLANs.

But how can I do with the guest WLAN? I don't wan't MAC Filter on it, because only guests on the company will use it.

It needs to be simple, with just a temporary user/password.

- Broadcast SSID + WPA2 PSK + MAC Filter desired

- Don't broadcast SSID + WPA2 PSK + MAC Filter desired

- Broadcast SSID + web authentication (guest wlan)  - NO MAC Filter

Well if you have v7.3 or newer, you can enable this feature: On MAC Filter failure

This will keep the devices that are not on the mac filter to still get the webauth page.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Hi Scott,

Enabled MAC Filtering on all WLANs, selected On MAC Filter failure on the guest one (worked!) but I'm still able to connect to all WLAN, even selection just one Profile and Interface on the MAC Filter page, as above

My MAC with permission to access just PDG-Visitantes, using interface visitantes (the interface in use with PDG-Visitantes WLAN)

All WLANs with MAC Filtering (PDG-VISITANTES is also with MAC Filter Failure)

My phone connected on PDG-CORP, even just allowing its MAC to connect to PDG-VISITANTES

Is it right? Do you suggest me to look anything else?

Not solved

My WLC is a WiSM  on a 6500 core switch

Ok, thank you anyway!

I guess that the TAC will be the only solution

Scott,

Just theorizing, Correct me if i'm wrong.

case:1

enable mac-filterting on wlan1 that is mapped to int1.

don't enable mac-filtering on wlan2 that is mapped to int1.

don't enable mac-filtering on wlan3 that is mapped to int2.

case:A macfilter -> mac-A, wlan1, int1.

test cases:-

connect mac-A to wlan1, it should join. bcoz it got right wlan1 and int1.

connect mac-A to wlan2, it should join since wlan2 doesn't have mac filter. ****

connect mac-A to wlan3, it should join since no mac-filter enabled on wlan3 though interface is int2.

case:B macfilter -> mac-A, wlan1, int2.

test cases:-

connect mac-A to wlan1, it should join since int2 used by wlan doesn't have mac-filtering enabled ****

connect mac-A to wlan2, it should join since no mac filter enabled on wlan2.

case:2

enable mac-filtering on wlan1 that is mapped to int1.

enable mac-filtering on wlan2 that is mapped to int1.

enable mac-filtering on wlan3 that is mapped to int2.

case:A macfilter -> mac-A, wlan1, int1.

test cases:-

connect mac-A to wlan1, it should join.

connect mac-A to wlan2, shouldn't join since mac-A not allowed on this wlan2

connect mac-A to wlan3, shouldn't join since mac-A not allowed on this wlan3

case:B macfilter -> mac-A, wlan1, int2.

test cases:-

connect mac-A to wlan1, it shouldn't join since int is different and int2 is also having mac-filter enabled. ****

connect mac-A to wlan2, shouldn't join since mac-A not allowed on this wlan2

case:1

enable mac-filterting on wlan1 that is mapped to int1.

don't enable mac-filtering on wlan2 that is mapped to int1.

don't enable mac-filtering on wlan3 that is mapped to int2.

case:A macfilter -> mac-A, wlan1, int1.

test cases:-

connect mac-A to wlan1, it should join. bcoz it got right wlan1 and int1.

connect mac-A to wlan2, it should join since wlan2 doesn't have mac filter. ****

connect mac-A to wlan3, it should join since no mac-filter enabled on wlan3 though interface is int2.

All three above is correct

case:B macfilter -> mac-A, wlan1, int2.

test cases:-

connect mac-A to wlan1, it should join since int2 used by wlan doesn't have mac-filtering enabled ****

connect mac-A to wlan2, it should join since no mac filter enabled on wlan2.

Both above is correct

case:2

enable mac-filtering on wlan1 that is mapped to int1.

enable mac-filtering on wlan2 that is mapped to int1.

enable mac-filtering on wlan3 that is mapped to int2.

case:A macfilter -> mac-A, wlan1, int1.

test cases:-

connect mac-A to wlan1, it should join.

connect mac-A to wlan2, shouldn't join since mac-A not allowed on this wlan2

connect mac-A to wlan3, shouldn't join since mac-A not allowed on this wlan3

All three above is correct

case:B macfilter -> mac-A, wlan1, int2.

test cases:-

connect mac-A to wlan1, it shouldn't join since int is different and int2 is also having mac-filter enabled. ****

connect mac-A to wlan2, shouldn't join since mac-A not allowed on this wlan2

Both of these are correct

What I did was I created 4 WLAN's mapped to the following vlans

wlan1>201 ----mac filter enabled

wlan2>202 ----mac filter disabled

wlan3>203 ----mac filter enabled

wlan4>201 ----mac filter enabled

If I assigned a device that was allowed on wlan1 and vlan 201, the device was only able to connect to wlan1 and wlan2.

Now if i set the Any WLAN, the device was able to connect to all 4 ssid's even though I still had vlan 201 defined.

Now if I set the mac filter to allow on wlan1 and set the interface to any, I was only able to connect to wlan1 and wlan2.

So it seems like the Profile Name is mandatory and takes precedence of the Interface name.  So making sure you have the Profile Name configured is important.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thanks Scott, Much appreciated!!!

No problem. It was about time I lab'd it out anyways:)

Sent from Cisco Technical Support iPhone App

Go WLANs

Select SSID

e.g (SSID u Select is ABC)

Select Tab SECURITY

Layer 2 Security Select NONE

Mark MAC FILTERING

Select Tab

LAYER 3

Select layer 3 Security NONE

For Adding MAC

Go to SECURIT

Select MAC Filtering

On The Top Right Cornder Click NEW

IN MAC Address Enter Mac As aa:bb:cc:dd:ee:ff:gg

IN Profile Name Select SSID ABC

IN Description Enter any Name ABCMAC (Not Necessary)

IN IP Address Enter IP 192.168.1.1 (Not Necessary)

Interfae Name (Manager Interface)