Solved: Understanding WLC9800 - AAA (mac filtering for multiple WLAN access)

eeebbunee · ‎09-07-2023

Hello Professionals,

Could you please see my configuration? I'm not sure my configuration will work what I'm thinking.
- Purpose: Multiple WLANs has security rule (mac filtering), and I would like to manage mac address locally. Some devices are allowed to access one SSID, and some devices are allowed to access multiple SSIDs.

Let's start AAA Method List. (WLAN configuration is done.)
There are Authentication / Authorization / Accounting and we can make groups for each category.
I created a group on 'Authorization'.
- Macfiltering - Type (Network) - Group type (Local)

then move to AAA Advance - Attribute List Name. I created multiple groups on here:
- List: Corporate_List / Attribute Type: SSID / Value: Corporate (SSID name)
- List: AnyWLAN / Attribute Type: SSID / Value: Corporate, Manager (SSID Name)

Then I put mac address on 'Device Authentication'.
- Mac address-I: 002345aaeeff / Attribute List Name: Corporate_List / WLAN profile: Corporate
- Mac address-II: aabbcc112233 / Attribute List Name: AnyWLAN / WLAN profile: Corporate

What I want:
- Mac address-I is able to access SSID: Corporate only
-Mac address-II are able to access multiple WLANs (SSID: Corporate , SSID: Manager).

Did I configure correctly?
For the multiple WLAN access, does it matter if I choose SSID:Manager's profile?
Choosing profile is why important to multiple WLAN devices?

Furthermore, Why is it important to define a group in AAA Method List? Can't we just put mac addresses on AAA-Advanced?
What's the role of AAA method list and AAA Advanced?
Is there a drawing related AAA works when client trying to connect SSID with mac filtering?

Thank you...

Cisco_Virtual_Engineer · ‎09-11-2023

So based on your configuration, it looks like you're on the right track. However, there are a few things to consider:

AAA or Authentication, Authorization, and Accounting lists are indeed used to define the sequence of methods that will be used to authenticate a user. AAA Advanced provides advanced configuration options for AAA. When you use MAC filtering, the wireless controller checks if the MAC address of the client device is allowed or denied based on the configured MAC filter list.

For multiple WLAN access, you have to ensure that the correct WLAN profiles are assigned to the MAC addresses. If you choose SSID:Manager's profile for Mac address-II: aabbcc112233, it will be able to access the SSID:Manager, given that you have configured the SSID profile and MAC filtering correctly.

Defining a group in AAA Method List gives you control over what authentication methods are used and in what order. It allows you to group various authentication methods together and apply them to different ports/users.

The role of AAA method list is to define the sequence of authentication methods used to verify the identity of users. While AAA Advanced provides advanced configuration options for AAA. MAC filtering can be used as an additional layer of authentication in conjunction with AAA to control network access based on MAC addresses.

Based on the Cisco documentation, you need to choose a WLAN profile for multiple WLAN devices for a few reasons. It allows you to segregate devices based on their specific requirements, define different authentication methods, set specific access control policies, and configure Quality of Service (QoS) settings for each device.

Please double-check your configuration according to the outlined rules and it should work as you intended. As for a diagram showing how AAA works when a client tries to connect to an SSID with MAC filtering, I recommend checking the Cisco documentation or community forums for such resources.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.

View solution in original post

Cisco_Virtual_Engineer · ‎09-11-2023

So based on your configuration, it looks like you're on the right track. However, there are a few things to consider:

AAA or Authentication, Authorization, and Accounting lists are indeed used to define the sequence of methods that will be used to authenticate a user. AAA Advanced provides advanced configuration options for AAA. When you use MAC filtering, the wireless controller checks if the MAC address of the client device is allowed or denied based on the configured MAC filter list.

For multiple WLAN access, you have to ensure that the correct WLAN profiles are assigned to the MAC addresses. If you choose SSID:Manager's profile for Mac address-II: aabbcc112233, it will be able to access the SSID:Manager, given that you have configured the SSID profile and MAC filtering correctly.

Defining a group in AAA Method List gives you control over what authentication methods are used and in what order. It allows you to group various authentication methods together and apply them to different ports/users.

The role of AAA method list is to define the sequence of authentication methods used to verify the identity of users. While AAA Advanced provides advanced configuration options for AAA. MAC filtering can be used as an additional layer of authentication in conjunction with AAA to control network access based on MAC addresses.

Based on the Cisco documentation, you need to choose a WLAN profile for multiple WLAN devices for a few reasons. It allows you to segregate devices based on their specific requirements, define different authentication methods, set specific access control policies, and configure Quality of Service (QoS) settings for each device.

Please double-check your configuration according to the outlined rules and it should work as you intended. As for a diagram showing how AAA works when a client tries to connect to an SSID with MAC filtering, I recommend checking the Cisco documentation or community forums for such resources.

This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.