Solved: MAC Filtering Issue on EWC 17.12.4 – Devices Accessing Multiple SSIDs

Bruno Lorenzetti · ‎05-06-2025

Hi everyone,

I'm currently facing an issue with the Embedded Wireless Controller (EWC) running on Catalyst 9115AX Access Points.

We're using MAC filtering across all WLANs (SSIDs) to control access to the wireless network. Each device’s MAC address (laptop, smartphone, TV, etc.) is registered on the EWC and associated with a specific Attribute List created for each WLAN. MAC filtering is enabled on each WLAN and linked to an Authorization List.
In other words, each device should be restricted to accessing only one SSID.

MAC Filtering-1MAC Filtering-2Device_Associated_Attribute_ListWLAN_config_MAC_FilteringDevice_Connected_SSID_STAR_MOBILESame_device_Connected_Other_SSIDWLAN_STAR_PROD_config_MAC_Filtering

However, we’ve noticed that devices are able to connect to multiple SSIDs, even when they’re supposed to be authorized for just one.

This setup used to work as expected in previous software versions, but the issue started showing up after we upgraded the EWC to version 17.12.4.

Has anyone come across something similar? It seems to be tied to version 17.12.4, although I haven’t found any official BUG reports on this — even though it does behave like a BUG.

EWC Version: 17.12.4

Thanks in advance!

Saikat Nandy · ‎05-06-2025

Could you please verify if AAA override is enabled across all the policy profiles? Also what is the config of your different attribute lists? I see that you are using both Attribute list as well as WLAN Profile Name.

Instead of using both, can you just test with attribute list config -- the config should include 'Attribute Type' as 'wlanprofilename' and 'Attribute Value' should include the name of the WLAN profile.

Try this in a test SSID and see how the behaviour is. But please ensure that AAA override is enabled across all Policy Profiles.

View solution in original post

marce1000 · ‎05-06-2025

- You could try to track the client(s) using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800APJoin
The results from RadioActive Tracing can be processed with Wireless Debug Analyzer
(try to find out why the client can connect to a not-allowed-SSID)

Always have an overall checkup of the EWC (or 9800) controller configuration using the CLI
command show tech wireless and feed the output from that into Wireless Config Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Saikat Nandy · ‎05-06-2025

Could you please verify if AAA override is enabled across all the policy profiles? Also what is the config of your different attribute lists? I see that you are using both Attribute list as well as WLAN Profile Name.

Instead of using both, can you just test with attribute list config -- the config should include 'Attribute Type' as 'wlanprofilename' and 'Attribute Value' should include the name of the WLAN profile.

Try this in a test SSID and see how the behaviour is. But please ensure that AAA override is enabled across all Policy Profiles.

Rich R · ‎05-06-2025

It's not an exact match for what you're seeing but have you looked at https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb20613 ?

There is a very old bug CSCvo72157 which matches what you're seeing but that was opened on the old, long since abandoned, Converged Access IOS-XE. What's interesting is that that bug has been updated recently suggesting that TAC have recently added a new case to it...

If the CSCwb20613 notes don't help then you'll probably need a TAC case.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Bruno Lorenzetti · ‎05-13-2025

Hi everyone,

I’d like to thank all of you who contributed and helped me with this issue.

After reviewing the Policy Profiles, I noticed that the "AAA Override" option was disabled. Once we enabled it and ran some tests, the user was correctly restricted to connecting to only one SSID.

Many thanks to @Saikat Nandy for the comment and the helpful tip.

Appreciate everyone’s support!