01-29-2008 09:05 PM - edited 07-03-2021 03:17 PM
I'm trying to configure WPA with MAC filtering on an 1100 series AP. I have been able to get WPA2 personal working but when I add the option to filter out MAC addresses, the test machine can no longer associate to the AP. WEP with MAC filtering works just fine. Cisco TAC said it was the version of IOS I was running so I rolled back to an older version with no luck. Below is some output from a debug. Any suggestions on how I can get this to work?
*Mar 1 02:03:09.573: AAA/BIND(00000055): Bind i/f
*Mar 1 02:03:09.573: dot11_auth_mac_start: method_list: mac_methods
*Mar 1 02:03:09.573: dot11_auth_mac_start: method_index: 0xCB000005, req: 0xC474C8
*Mar 1 02:03:09.573: dot11_auth_mac_start: client->unique_id: 0x55
*Mar 1 02:03:09.573: AAA/AUTHEN/PPP (00000055): Pick method list 'mac_methods'
*Mar 1 02:03:09.574: dot11_mac_process_reply: AAA reply for 0016.6f79.4862 PASSED
*Mar 1 02:03:09.874: %DOT11-7-AUTH_FAILED: Station 0016.6f79.4862 Authentication failed
*Mar 1 02:03:09.904: AAA/BIND(00000056): Bind i/f
*Mar 1 02:03:09.905: dot11_auth_mac_start: method_list: mac_methods
*Mar 1 02:03:09.905: dot11_auth_mac_start: method_index: 0xCB000005, req: 0xC474C8
*Mar 1 02:03:09.905: dot11_auth_mac_start: client->unique_id: 0x56
*Mar 1 02:03:09.905: AAA/AUTHEN/PPP (00000056): Pick method list 'mac_methods'
*Mar 1 02:03:09.906: dot11_mac_process_reply: AAA reply for 0016.6f79.4862 PASSED
*Mar 1 02:03:10.237: AAA/BIND(00000057): Bind i/f
*Mar 1 02:03:10.237: dot11_auth_mac_start: method_list: mac_methods
*Mar 1 02:03:10.238: dot11_auth_mac_start: method_index: 0xCB000005, req: 0xC474C8
*Mar 1 02:03:10.238: dot11_auth_mac_start: client->unique_id: 0x57
*Mar 1 02:03:10.238: AAA/AUTHEN/PPP (00000057): Pick method list 'mac_methods'
*Mar 1 02:03:10.238: dot11_mac_process_reply: AAA reply for 0016.6f79.4862 PASSED
*Mar 1 02:03:10.570: AAA/BIND(00000058): Bind i/f
*Mar 1 02:03:10.570: dot11_auth_mac_start: method_list: mac_methods
*Mar 1 02:03:10.571: dot11_auth_mac_start: method_index: 0xCB000005, req: 0xC474C8
*Mar 1 02:03:10.571: dot11_auth_mac_start: client->unique_id: 0x58
*Mar 1 02:03:10.571: AAA/AUTHEN/PPP (00000058): Pick method list 'mac_methods'
*Mar 1 02:03:10.572: dot11_mac_process_reply: AAA reply for 0016.6f79.4862 PASSED
*Mar 1 02:03:10.902: AAA/BIND(00000059): Bind i/f
*Mar 1 02:03:10.903: dot11_auth_mac_start: method_list: mac_methods
*Mar 1 02:03:10.903: dot11_auth_mac_start: method_index: 0xCB000005, req: 0xC474C8
*Mar 1 02:03:10.903: dot11_auth_mac_start: client->unique_id: 0x59
*Mar 1 02:03:10.904: AAA/AUTHEN/PPP (00000059): Pick method list 'mac_methods'
*Mar 1 02:03:10.904: dot11_mac_process_reply: AAA reply for 0016.6f79.4862 PASSE
01-30-2008 07:49 AM
It sure looks like a problem with the IOS still. It's getting a AUTHPASS message yet still reporting that the authentication failed.
To be honest, MAC filtering provides a lousy addition to security for the amount of hassle it requires to get working. I would recommend getting a good strong key from http://grc.com/passwords and dump MAC filtering. WPA2/AES with a 24 or longer hex key will give you good link protection. Go for a full 64-character hex key if you'd like to go the extra mile.
Copy and paste is your friend. We can only hope some future version of the APs support a SDcard to make PSK installation a real breeze.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide