01-28-2021 06:50 PM - edited 07-05-2021 01:07 PM
Hi I am having a problem connecting my mobile devices (iPad, phone, and tablet) to macfiltered wireless networks. It keeps saying "unable to join" error on phone. However, it connects fine on laptops, after adding the mac address.
The issue is only with the Macfiltered SSID's.
Any help would be greatly appreciated. Thank You!!
Solved! Go to Solution.
02-01-2021 04:02 AM
Adding to what Scott said - the fact that you're only seeing this with Apple devices suggests you may have missed the news about Apple implementing Private MAC addresses. There's a neat summary on the Meraki site but same applies to all wireless networks:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_and_iOS_14_MAC_Address_Randomization
Key point: "This MAC address is different from the device MAC address, is SSID specific, and will remain the same for a given SSID."
*BUT* warning which likely applies for next major iOS release in 2021: "Apple has, however, stated the possibility of implementing rotation of MAC addresses within a single SSID in the future."
So in future the device MAC address could change every day. You must plan to use a different method of authentication like 802.1x (passpoint) - not MAC address (which was never secure anyway because it is very easy to spoof MAC addresses).
01-28-2021 07:25 PM
are you add Mac address manually in WLC ?
01-28-2021 07:57 PM
Yes.
01-28-2021 09:20 PM - edited 01-28-2021 09:21 PM
Use the command debug client <MACADDRESS> on the WLC's command line. This will enable 8 different debugs that show the most important details on client association and authentication but filter the output to only the specified MAC address of the phone. Can you please run this debug, attempt to connect with one of the trouble devices, and then post the output? There may be quite a lot so saving it to a text file and then uploading the file in your reply would likely be preferable.
01-28-2021 10:11 PM
Hi, Tyson Thanks for your reply.
Here is the output of the command:
(Cisco Controller) >debug client XX:xx:xx:xx:xx:xx
(Cisco Controller) >*Dot1x_NW_MsgTask_7: Jan 29 11:37:33.941: PemLocationConfigured [1]Adding VSA with NAS update and Role[1] with state[0]
*apfReceiveTask: Jan 29 11:49:07.685: Successful update of client idle timeout state. Payload size =8 clientIdleTimeout = 1
01-29-2021 12:34 PM
Are you use this MacFilter for Guest WLAN ?
01-29-2021 12:09 PM
Double check the mac address and see if randomized mac address is enabled on these devices. You would have to add the private mac address to the filter along with the base radio mac address in case they disable that feature.
02-01-2021 04:02 AM
Adding to what Scott said - the fact that you're only seeing this with Apple devices suggests you may have missed the news about Apple implementing Private MAC addresses. There's a neat summary on the Meraki site but same applies to all wireless networks:
https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_and_iOS_14_MAC_Address_Randomization
Key point: "This MAC address is different from the device MAC address, is SSID specific, and will remain the same for a given SSID."
*BUT* warning which likely applies for next major iOS release in 2021: "Apple has, however, stated the possibility of implementing rotation of MAC addresses within a single SSID in the future."
So in future the device MAC address could change every day. You must plan to use a different method of authentication like 802.1x (passpoint) - not MAC address (which was never secure anyway because it is very easy to spoof MAC addresses).
02-01-2021 06:36 AM
is your wlc code is 8.3 ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide