cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4586
Views
0
Helpful
16
Replies

Mac filtering on WLC

Orkhan Hajizada
Level 1
Level 1

Hello! I have configured mac filtering on one of  WLANS on WLC. Everything was ok. But today I noticed that the mac filtering doesn't work. Devices can join to network by a password.Their mac addresses aren't on local access list. Please help me to fix this. Thank you!

16 Replies 16

for mac filter with L3 auth is not check the mac in list it only detect the mac and then use it for mapping the IP-User. 

Orkhan Hajizada
Level 1
Level 1

but here it says that it's checking, and it checked when I configured it. It just stopped doing that

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

this vlan auth by L2 or L3 ?

Orkhan Hajizada
Level 1
Level 1

L2 , [WPA2][Auth(PSK)] and  MAC Filtering

To help everyone else, what controller model and firmware is running.  With PSK, I know that using a radius server works well because you can define a group of mac address that can or can't join and SSID per a policy.  I have used Cisco ISE with the 9800's as an example to get mac addresses of device connecting to PSK and our Guest network just so we have some visibility.

-Scott
*** Please rate helpful posts ***

Model AIR-CT3504-K9.  software version 8.8.130.0

I will make double check. 

Thank you!

JPavonM
VIP
VIP

@Orkhan Hajizada  Below the config you need to configure MAC whitelisting for an SSID:

aaa authorization network <NAME-OF-LIST> local
aaa attribute list <NAME-OF-LIST>
attribute type ssid "<YOUR-SSID-HERE>"
!

wlan <YOUR-WLAN-PROFILE-HERE> 101 <YOUR-SSID-HERE>
shutdown
mac-filtering <NAME-OF-LIST>
security wpa psk set-key ascii 0 <YOUR-PSK-HERE>
no security wpa akm dot1x
security wpa akm psk
no shutdown
!
username <allowed_device_mac_w/o_punctuation> mac aaa attribute list <NAME-OF-LIST> description <OPTIONAL-DESCRIPTION-HERE>

Thank you, but it works before without cmd commands

Orkhan Hajizada
Level 1
Level 1
I found out that latest software was on    12-Dec-2022.
Should I make an upgrade?  8.8.130.0 -> 8.10.183.0 

You can try, it doesn't hurt.  Make sure you read the other post in this thread.  Also take a look at other guides out there as there might be a slight variance on how you should configure mac filtering.

Configure MAC Filters with Wireless LAN Controllers (WLCs) - Cisco

Configure MAC filtering on WLC (GUI and CLI) – Infra admin's blog (tayam-infra.net)

Allow only few MAC addresses to connect to SSID on WLC using MAC Filtering - Cisco Community

-Scott
*** Please rate helpful posts ***

Orkhan Hajizada
Level 1
Level 1

I found out guys! Yesterday I configured ISE, and connect this WLC to him. I configured radious there for guest ssid and etc. As I understand after this WLC ignores his local mac database and look to ISE.  Do you know how can I use 1 SSID with local mac filter at the same time with 1 SSID with ISE settings? (guest portal etc) 

This makes more sense since you have ISE.  You can always setup a rule that looks for your SSID and then on your authZ policies you define what internal group with mac address to use to either deny or permit.  Here is something I have been using in my home environment to test with.  I do use a regular expression in which you don't have to do and I put mac address in the Blocked list endpoint group that I want to deny.  You can be creative and do other things, you just need to make sure your more specific rules are on the top and the more broad rules follow.

ScottFella_0-1671553568102.png

 

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card