You don't happen to know how to do it in a microsoft environment?

With microsoft radius it is the same. You need to add users to the radius server; the username and the password both should be the mac address.

Rating useful replies is more useful than saying "Thank you"

Nevyn,

How many devices are you doing mac filters for, Im just curiuos.

As a start, about 20 but unfortionatly it is probably going to grow as we deploy .1x on the wired network aswell as the wireless. In the end? Who knows... Maybe 50, maybe 100, maybe more...

Here is my opinion....There is no need to deloy mac authentication if your going to do 802.1x. I never tell my customers todo this and if they do think they need it, well in the end they don't. Mac authentication isn't a security method in my book and it's a management nightmare.

Sent from Cisco Technical Support iPhone App

Unfortunately we've got a bunch of devises where it's not possible to use 802.1x. I'm working at a hospital and there are medical equipment which needs to be connected to the network but where it isn't an alternative to use our regular type of authentication. When we start deploying 802.1x on the wired network we won't have the alternative (as we do today) of saying that if a device can't handle 802.1x, WPA2 and 5GHz we won't let it onto our network. We need to find a solution...

That doesn't really solve a security solution. In many of my hospital installations, there are more than 100+ devices that don't support 802.1x. So if you have to settle with PSK or even WEP on some devices, these can't be referenced by radius so now you have to enter the Mac address in each wlc you have. If that's what you need to do to satisfy a requirement then that is what you will have to do. The main issue is that PSK, WEP and Mac authentication doesn't pass audits if you ever have to get a network audit. Just giving my opinion from my experience.

Sent from Cisco Technical Support iPhone App

I work for a large hsp system as well. PSK will past some audits, it all depends how you manage the key. For exmaple, we use wavelink to push keys to our cisco phones, no one knows the key only me, phones and the wlc.

I would get away from MAC before it gets to big.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

On wireless we might manage to avoid MAC-authentication altogether. The possible exception is about 20 devices which can handle our network as it is today but where all the default policies on our domain causes a lot of extra work.

On the wired network we haven't got any protection what so ever today. We have now started the process of separating out critical equipment and try telling a CT-scanner (I work at a hospital) that it's got to use certificates ;-) The plan for all regular computers is to use the same (though slightly modified) policy as we're using for wireless today but that leaves all the "weird" medical devices which don't have antivirus, can't handle certificates and generally don't do security... In the end the medical equipment will end up on one set of vlans and the regular computers on another with a firewall regulating access.

Since we're starting with the wireless I asked here :-)