Using both WPA2 and Mac Filtering

richardwang5000 · ‎01-23-2013

I am curious if I can do an either or sitution with a single SSID.

If you are on the mac filtering list then you gain access to the network, if not then enter your WPA2-ENT credentials.

I have a minimal ammount of users that need mac filtering, but do not want to give them there own SSID.

Let me know what you think, and if this is even possible.

Cisco WLC 5508 7.4 code

Jeff Van Houten · ‎01-23-2013

In addition to authentication, wpa also provides for an encrypted channel over the wireless link. Mac filtering is just an acl; if you pass the filter you're in, but there's no encryption. I don't think these two are interchangeable as an either/or solution.

Sent from Cisco Technical Support iPad App

Scott Fella · ‎01-23-2013

Just to add... You can do both at the same time, but its both together not either or. Since you define both on a SSID, the WLC is expecting that the MAC address of the device is in the list and then the pre shared key is valid.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

wireless wlc · ‎01-27-2013

hi Scott,

If there is mac filtering and wpa psk, clients which have just the PSK configured correctly are able to connect even though they are NOT in the mac filter list. Is this expected behaviour ? I am expecting that the client should be able to join only if BOTH of the conditions are met (that is PSK as well as mac filtering). which one takes precendence or is checked for first ? i think its PSK when PSK is configured.

regards

Joe

George Stefanick · ‎01-27-2013

That's not expected behavior. Are you sure you selected max filter under the WLAN ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎01-27-2013

Nah... You have it configured wrong like George mentioned. It's both or none at all.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

wireless wlc · ‎01-27-2013

Hi,

Then it might be a bug in 7.2.110? I have a customer configured for both and clients who just have WPA PSK only configured are also able to connect to the SSID with mac filtering + WPA PSK enabled. clients with both WPA PSK AND mac filtering are also able to connect.

Joe

raun.williams · ‎01-27-2013

Can you take a screen of your configuration page on this? I'll lab this tomorrow... curious. Where are you setting the mac list at, locally on the wlc or a radius server?

wireless wlc · ‎02-05-2013

I dont have the screenshots with me. The problem is not there once they remove the WLAN and recreate it. But only strange thing is , some clients show up in the monitor>clients list in WLC even though they have only the WPA-PSK configured and NOT in the mac filter list. These clients dont get an IP and not able to communicate though. Maybe its a minor bug, but works as expected. Thanks.

regards

Joe

David Watkins · ‎02-06-2013

On 7.2.110.0 I had seen where a client can move from a PSK or other WLAN where they have "authenticated" properly to a MAC Filter WLAN and are allowed access without being in the MAC filter list. This behavior was duped to

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub00341&from=summary

It states this is related to NAC, however my original bug submission regarding moving to a MAC Filter WLAN after previously authenticating on another WLAN was duped to this.

A "workaround" is to disable Fast SSID change

This shows fixed in 7.3(1.73) / 7.4(100.0)

I didn't test this scenario with using "both" MAC Filter and PSK, but as George/Scott have said, you "must" do both, one or the other, or neither to authenticate to the WLAN, however it's possible they have already authenticated to another WLAN and simply "moved" to this WLAN and were authenticated even if they aren't in the MAC Filter list.

It could be some variation of this behavior above.