Re: Mac filtering on WLC

Orkhan Hajizada · ‎12-20-2022

Hello! I have configured mac filtering on one of WLANS on WLC. Everything was ok. But today I noticed that the mac filtering doesn't work. Devices can join to network by a password.Their mac addresses aren't on local access list. Please help me to fix this. Thank you!

MHM Cisco World · ‎12-20-2022

for mac filter with L3 auth is not check the mac in list it only detect the mac and then use it for mapping the IP-User.

Orkhan Hajizada · ‎12-20-2022

but here it says that it's checking, and it checked when I configured it. It just stopped doing that

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

MHM Cisco World · ‎12-20-2022

this vlan auth by L2 or L3 ?

Orkhan Hajizada · ‎12-20-2022

L2 , [WPA2][Auth(PSK)] and MAC Filtering

Scott Fella · ‎12-20-2022

To help everyone else, what controller model and firmware is running. With PSK, I know that using a radius server works well because you can define a group of mac address that can or can't join and SSID per a policy. I have used Cisco ISE with the 9800's as an example to get mac addresses of device connecting to PSK and our Guest network just so we have some visibility.

-Scott
*** Please rate helpful posts ***

Orkhan Hajizada · ‎12-20-2022

Model AIR-CT3504-K9. software version 8.8.130.0

MHM Cisco World · ‎12-20-2022

I will make double check.

Orkhan Hajizada · ‎12-20-2022

Thank you!

JPavonM · ‎12-20-2022

@Orkhan Hajizada Below the config you need to configure MAC whitelisting for an SSID:

aaa authorization network <NAME-OF-LIST> local
aaa attribute list <NAME-OF-LIST>
attribute type ssid "<YOUR-SSID-HERE>"
!

wlan <YOUR-WLAN-PROFILE-HERE> 101 <YOUR-SSID-HERE>
shutdown
mac-filtering <NAME-OF-LIST>
security wpa psk set-key ascii 0 <YOUR-PSK-HERE>
no security wpa akm dot1x
security wpa akm psk
no shutdown
!
username <allowed_device_mac_w/o_punctuation> mac aaa attribute list <NAME-OF-LIST> description <OPTIONAL-DESCRIPTION-HERE>

Orkhan Hajizada · ‎12-20-2022

Thank you, but it works before without cmd commands

Orkhan Hajizada · ‎12-20-2022

I found out that latest software was on 12-Dec-2022.

Should I make an upgrade? 8.8.130.0 -> 8.10.183.0

Scott Fella · ‎12-20-2022

You can try, it doesn't hurt. Make sure you read the other post in this thread. Also take a look at other guides out there as there might be a slight variance on how you should configure mac filtering.

Configure MAC Filters with Wireless LAN Controllers (WLCs) - Cisco

Configure MAC filtering on WLC (GUI and CLI) – Infra admin's blog (tayam-infra.net)

Allow only few MAC addresses to connect to SSID on WLC using MAC Filtering - Cisco Community

-Scott
*** Please rate helpful posts ***

Orkhan Hajizada · ‎12-20-2022

I found out guys! Yesterday I configured ISE, and connect this WLC to him. I configured radious there for guest ssid and etc. As I understand after this WLC ignores his local mac database and look to ISE. Do you know how can I use 1 SSID with local mac filter at the same time with 1 SSID with ISE settings? (guest portal etc)

Scott Fella · ‎12-20-2022

This makes more sense since you have ISE. You can always setup a rule that looks for your SSID and then on your authZ policies you define what internal group with mac address to use to either deny or permit. Here is something I have been using in my home environment to test with. I do use a regular expression in which you don't have to do and I put mac address in the Blocked list endpoint group that I want to deny. You can be creative and do other things, you just need to make sure your more specific rules are on the top and the more broad rules follow.

-Scott
*** Please rate helpful posts ***