WLC Flexconnect with AAA and MAC authentication

hi,
i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
one more question,
is it possible to make each AP seperate MAC filters On the WLC.
thanks
cyril

If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
Hope this clears you doubts!!!
Note: Please do not forget to rate and accept as solution incase the post is valid.

Similar Messages

  • Cisco aironet 1040: create wireless with wpa2 and mac authentication

    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks
    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks

    ap#show configuration
    Using 2085 out of 32768 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid Svez
       authentication open mac-address mac_methods
       authentication key-management wpa version 2
    username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
    username 00907a0f2a55 autocommand exit
    username administrator privilege 15 password 7 033449040A0620425A0D15564F42
    username 0025d3db778b password 7 055B565D74481D0D1B52404A09
    username 0025d3db778b autocommand exit
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    ssid Svez
    antenna gain 0
    station-role root
    world-mode legacy
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    no ip route-cache
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    end
    ap#

  • IAS and MAC authentication

    Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
    Any idea how can I solve this problem??
    Thansk

    I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP

  • WPA2 and mac authentication

    I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

    Hi Jared,
    you can do this by setup the following:
    Webinterface:
    1. Securtiy -> Server Manager
    Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
    2. Securtiy -> Advanced Securtiy
    In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
    IOS Interface from config mode:
    aaa group server radius rad_mac
    server 10.20.40.37 auth-port 1645 acct-port 1646
    and
    aaa authentication login mac_methods group rad_mac
    or
    aaa authentication login mac_methods group rad_mac local (for local fallback)
    I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
    Better use a setup with EAP-FAST or PEAP!
    I hope that helps.
    Best regards,
    Frank
    I hope that helps.

  • Recommendations for Semi-Pro or Pro HD Video camera to use with fcp and Mac

    Recommendations for Semi-Pro or Pro HD Video camera to use with fcpX and Mac with auto settings and ability to override, need to add external mic or 2.  Am one person crew so needs to be easy to use.

    And check out the Panasonic AG-AC90.  Very good specs for a prosumer unit. Everything in the semi-pro area will involve trade offs for sure. Key thing is to study up enough to know what your needs are vs what trade off are involved in the various models. The ag-ac90 trade off (one of them) is diffraction limited sharpness.

  • Lenovo Wireless Headset W770 compatibility with Linux and Mac

    Hi,  
    Can someone provide me information on Lenovo Wireless Headset W770 compatibility with Linux and Mac distributions.  On the product overview page under Software Requirements, only Windows is mentioned.  http://support.lenovo.com/en_US/downloads/detail.page?submit=true&componentID=1343112653906&DocID=PD...
    Please let me know if the headset can work with other distributions as well. 
    Thanks & Regards,
    Keya
    Solved!
    Go to Solution.

    I just received W770 and tried it on a PC and it worked. But when I plug the USB receiver in a macbook air (2011 MAC OS 10.6.8), it didn't work. The message I got is that MAC can't recognize the "keyboard" and asked me to press the shift button on the unrecognized keyboard- which I guess meant that the MAC treated the USB dongle as if it were a wireless keyboard of some sort. Anyway, would appreciate it if you could let me know how to make it work on MAC. The previous statement saying that it would work on any Lenovo machine regardless of OS is kinda of unclear - do you mean that it would also work on lenovo running MAC OS (is there any Lenovo running Mac OS?). Thanks.

  • Wireless Guest and mac authentication

    Hi all,
    I want to setup a wifi guest network with mac based authentication.
    I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
    However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
    It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
       This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
    Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
    managing the AP or the guest anchor controller ?
    Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
    regards,
    Geert

    Hi Geert,
    The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
    This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
    But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
    The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
    Hope this clarifies,
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • AP350 with LEAP and MAC-Auth

    Hi,
    is there any solution for this?
    I'd like to do LEAP and MAC-Auth with Microsoft IAS-Server instead of Cisco ACS.
    With ACS everything works fine but i have to buy the licences. For IAS i already have them but always 'EAP authentication method is unrecognized'.
    The clients all use W2K Prof.- no XP anywhere, so i can't go to EAP-TLS.
    thanks in advance
    Thomas / Networking admin

    Sorry, but LEAP is today only available on :
    Cisco Secure ACS
    Cisco Access Registrar
    Funk Software Radius
    Interlink Radius

  • Nexus 7000 aaa and local authentication

    Hello,
    I tried to configure aaa (with radius) and local user authentication on a Nexus 7004 (Version 6.2(6a)), but did not get it to work.
    Radius authentication is working fine(!), but I can't Login with a local created user (role vdc-Operator).
    Any help is highly appreciated.
    Kind regards,
    Andreas

    Hi,
    yes, I know that the fallback will jump in when no radius-Server responds, but I need the behaviour like the 6500'er (or 4500) act.(btw. local login works if radius is disabled, or local is the default, but if local is the default, radius Login no longer works) - Only one of the method at a time works.
    On the 6500 I configured aaa with Windows NPS-Server and a local user (e.g. for the Cisco-LMS). This works fine. Even if the radius server is available, i can log into the device (via ssh) with the locally defined user-account.
    What I miss is a kind of the command:
    "aaa authentication login default local group radius"
    "aaa authentication enable default enable"
    (which works on the WS-C6509 or  WS-C4500X).
    Is there any chance to get this work on the Nexus7000?
    Kind regards,
    Andreas

  • Want to use a Lacie External Hard Disk with Windows and Mac? Can I?...

    Hi, I've just purchased a Lacie Extreme D2 external hard disk, I'm looking to use it to move film clips from my Mac G5 to my Sony Vaio laptop. I'll connect the Mac using Firewire 1 and the PC using USB 1.
    I understand there is an issue with setting the compaitibility of the hard disk to either Mac or Windows format but I'm wondering if I can set it to both, so it's possible to transfer these files? The hard disk is Windows and Mac compatible but does it have to be partitioned a certain way?
    Any help is much appreciated.
    Thanks,
    Alex

    Format the drive as FAT or use the Mac format (HFS Extended) and install MacDrive on the PC.

  • IPod formatting with windows and mac

    alright fellas,
    I have a problem! i recently got a mac and i already had a nano, not the ones with the video; the long thin one, with photos (i think its a 3rd generation).
    So i do alot of transfering files between a windows computer and mac, my main computer is a mac but everywhere else i use pc's. i have got the problem that i want to be able to sync my iPod on my mac but use it to take my files into uni, so it needs to work with pc's
    at the moment its formatted to mac so it doesent show up when its connected to a pc
    if i format it on a pc then when i reconnect it ill just have to format it again to sync with my library? arghhhh!
    maybe im missing something really obvious, any help would be appericated! thanks alot

    *if i format it on a pc then when i reconnect it ill just have to format it again to sync with my library? arghhhh!*
    Macs can read Windows formatting so you should have no problem connecting your iPod to your Mac once it's been restored and reformatted on a PC. One proviso is that up until now Apple has only fully supported using the iPod shuffle in FAT32 format on Mac (unless the range has been expanded to include the iPhone and the iPod Touch which I've no experience of). What this means effectively is that if you need to apply a firmware update for your iPod and you wanted to maintain the Windows format you would have to do it on a PC. If you were to try and update a Windows based iPod on a Mac it would be restored and reformatted to the Mac file system and have the Mac firmware installed.
    One other thing, if you want to connect and use an iPod on more than one computer or with more than one library you need to change the update preference in the iPod Summary tab to "Manually manage music and videos" and click Apply:
    Using iPod with Multiple computers
    Something else to be aware of when using an iPod in manual mode is that the "Do Not Disconnect" message will remain on the display until you physically eject the device: Safely Disconnect IPod

  • Mail setup and .mac authentication

    Baffled… I have been trying to setup my Mail account. I have an active .Mac account which I can access via the internet, so I know it works. I am trying to use Mail as my automatic mail for sending Aperture photos and iWeb announcements.
    In going through the setup procedures in Mail I enter all the required information and the application tries to authenticate my .Mac account… it spins and spins… then an error message is received indicating “failure to connect to .Mac”. I have verified my settings with a friend who uses the same ISP, Mail and .Mac and all our settings are the same.
    Is this a keychain issue, do I need to reset permissions?
    Why can I access my .Mac account through Safari yet the computer can’t do it automatically?
    Thanks for anyone’s assistance.

    So you get mail from your .Mac account not via IMAP,
    but via POP3? Or what do you mean by "as for IMAP I
    am not using that"?
    And no, I did not talk about pinging the server
    (which just sends ICMP echo requests), but about
    trying to connect to the server using telnet. That's
    a real big difference.
    I only get mail via the web ~ Safari ~ Yahoo... .mac mail can be received and used onlt as a web application, Mial does not connect via .mac.
    The problem is .Mac authentifcation when setting up a new Mail account, error message says can not verify/connect to .Mac server, yet I can access .Mac via the internet.
    IMAP ~ in my system preferences for Accounts/Advanced I do not sync to any IMAP mailbox and the greyed out port is 143 nad SSL is not checked.
    Terminal ~ yes it logged in, sorry if I used the wrong term "ping"... so yes it did connect.

  • Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

    Hi experts,
    I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
    i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
    Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
    ii. If it is possible, any reference that I can check on how to configure this?
    The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
    Hope anyone here could help me on this.
    Thanks very much,
    Daniel

    With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
    Specific info is here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
    Hope this helps,

  • Burning a dvd of photos compatible with pc and mac

    I don't know if this is the correct forum or not.... can someone direct me on how to burn a dvd of pics and videos that is compatible with both a pc and a mac. i exported the photos to a folder on my desktop and have tried to burn with finder, and when i try the disk in a pc there are no thumbnails, nor does the pc have the capability of opening the photos. help!

    I am also having this problem. I have a dvd of jpeg's burnt on a mac that I received from my photographer. I can open the disc on my mac, and have copied it using disc utility, but can play neither the original or the copied dvd on my husbands pc (using sony DVD+R). Windows says the dvd is blank and asks if I want to format it. I have the same problem with DVD's of data burnt on friends macbook pro, none are recognised as having any data on them by my husbands dell laptop running windows xp.
    Would love a solution to this problem, as 1 year ago I could burn data DVD's from this same computer and play them on that same pc.

  • Issue with EVC and MAC learning

    Hi,
    I have a testing scenario that seems no to work and I don't find eny clue.
    On switch 3800-B I have configured this two ports. To the port  0/8 I have connected a host with IP address and MAC f0f7.55cf.6201.
    interface GigabitEthernet0/8
    switchport access vlan 20
    end
    interface GigabitEthernet0/7
    switchport trunk allowed vlan none
    switchport mode trunk
    service instance 1 ethernet
      encapsulation dot1q 10 second-dot1q 11
      rewrite ingress tag pop 2 symmetric
      bridge-domain 20
    Then I connect the interface 0/7 of this switch to the switch 3800-A to port 0/8. Port is configured as follows.
      bridge-domain 15 interface GigabitEthernet0/8
    switchport trunk allowed vlan none
    switchport mode trunk
    service instance 1 ethernet
      encapsulation dot1q 1-4094 second-dot1q 1-4094
      bridge-domain 15
    The connectivity is going further, but issue is happening here.
    I see MAC adress of the host on the 3800-B Gi0/8,
      20    f0f7.55cf.6201    DYNAMIC     Gi0/8
    but I do not see this MAC at the port and service instance on the switch 3800-A ??
    Do I have missed something or there is any issue with double tagging on this platform ?
    I appreciate quick response and thanks for any hint.
    Metod

    Hi Waris,
    the whole configuration consists of some other links and connections, so I might have had a loop somewhere. I completelly changed the design and it works.
    Thank you for your engagement and best regards.
    Metod

Maybe you are looking for