802.1x deployment with MAC filtering

Hi All
I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.
http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.
First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.
As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
"AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?
Thanks

Hi Sam
Thank you for your reply.
I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.
I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.
Anyway, I will try the second way you suggest.
Thanks a lot.

Similar Messages

PEAP authentication with MAC filtering

Hi,
I have an SSID, which required mac filtering as first level of security and Radius authentication also. I have done necessary configuration in ACS and WLC. In ACS, the rule for MAC filtering is taking a hit, but the users are not asked for credentials. The wireless association also fails. The mac addresses are saved in End station filter on ACS.
Attached document has the complete configuration which I performed. Please let me know what I am missing here. Thank you.
Regards,
Madhan kumar G

Hi,
as per maldehne you have to play with the service type.
check this discussion: http://goo.gl/R9E8ae
To the authentication policy you have to add a 'service type' attributes and check based on that attribute.
based on maldehne as per the past discussion the service type value in the rule condition should be:
For MAC filtering: value should be: call check
For 802.1x: value should be : Framed
Note that the MAC filter rule should come first.
Hope this helps.
Regards,
Amjad

Aironet 600 with Mac Filtering and a switch..

How does the Aironet 600 handle Mac Filtering if I were to connect a switch to port 4 on the back ("Secured" network port). Does it authenticate each MAC or does it do somthing similar to how 802.1x with multi-host works, the first mac authenticates and then the port's wide open? My use-case here is a printer at a remote home-office. The printer doesn't have a supplicant in it so I need to use mac filtering. Thanks.

MAC authentication is all I use for my OutStationed workers. No wifi, just the rlan. Since the rlan is configured for DHCP only, no IP gets passed until MAC auth occurs.
When Cisco packaged this up, they said 4 is enough.. IF you use an un-managed (non-cisco) switch.
I had a need for 2 workstations and 2 digiports.. SOP sys a managed switch.. oops. the switch consumed 2 MAC's right off the top.. 1 for itself and 1 for each vlan.
After enablilng 2 rlans, and configuring a pair on different networks, we discovered that they were bridged in the 602 (or somewhere).
We ended up switching out the 602 for an ASA5505

WLC 5760 multiple SSIDs with MAC filtering

Dear All,
I am implementing a wireless network with 5760 WLCs. The client requires a few SSIDs with MAC-based authentication. So I created different MAC filters using the commands "aaa authorization network MAC_FILTER01 local", "aaa authorization network MAC_FILTER02 local" etc
These filters are bound to different SSIDs using the commands "mac-filtering MAC_FILTER01" "mac-filtering MAC_FILTER02" etc. and users are added to their required MAC filters using the commands "username <mac-address> mac aaa attribute list MAC_FILTER01", "username <mac-address> mac aaa attribute list MAC_FILTER02" etc.
Now I am facing a serious issue - users belonging to any one MAC filter can connect to the all SSIDs. It seems like the MAC addresses added to the controller under different filter names are going to a common database, thereby providing access to users to all SSIDs irrespective of their MAC filter.
Is it a limitation of local database of 5760? Has anyone faced the same issue? How can I implement independent MAC filters bound to different SSIDs?
Thanks,
Arun John

Hi Arun,
this feature currently does not exist on the 5760. it is due to release in one of the MR's of 3.6
-Joseph

802.1x authentication with mac address

Hi guys,
there is a strange requirement from one of our customer,
they want us to do 802.1x with mac address authentication and they dont want the pop-ups which ask
for username, password and domain.
is it possible??
can i avoid popping up the username password with 802.1x and that too with mac address???
Any help would be greatly appreciated
Thanks
Jvalin

Hi,
The feature which you are looking for is possible in case of wired 802.1x. This feature is called as the MAC-Auth Bypass and is done mostly if the client machine is not 802.1x capable. However nowerdays it is used even if the machine is 802.1x capable.In this we enter the MAC address of the machine in the user database e.g. Active Directory. When you connect the client machine to the Switch, if we have MAC-Auth Bypass enabled on the port, it would take the MAC address of the machine as the username without any prompt for username and password.
A windows server admin can easily push a group policy which disables the 802.1x on the client machine and it would only respond to the MAC-Auth Bypass.But first you would have to make sure your switch has the Mac-Auth Bypass in the IOS.
For more information, you can go to http://www.cisco.com/univercd/cc/td/doc/solution/macauthb.pdf
Regards,
Kush

Web Auth with Mac Filtering

I am trying to setup a scenario where a user logs in via Web Auth and witha successfull connection the Mac Address is remembered for 7 days. That way if the user connects again during the course of 7 days they aren't required to authenticate via web auth again they just get access. After 7 days they will need to login again through the web auth. Similar scenario to what you see at a Hotel wireless network. Anyone know how I would go about setting up the dyanmic mac filtering and set the timer for 7 days? With that said I want it to be for a single SSID.

well, it's not possible with just the WLC.
You can do it, but you need to have a way to pull the MAC address from the webauth page, and insert that into a LDAP db, which you control the age out process in.
Then on a subsequent visits they get mac-authed instead of having to re-accept the page.
in the webauth config you would check the On MAC filter failure box.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Airport Express 802.11 2nd Gen & MAC Filtering

I am failing to connect my Epson NX430 wirelessly to my Airport Express network. The printer's status report indicates it failed the MAC Address Filtering Check. I have not enabled MAC filtering. I don't even know where to find it in the Airport Utility (5.6.1). I downloaded the latest printer driver, but that didn't help. The printer connected without a hitch to my NetGear router until that router just stopped functioning. I am running OS X 10.6.8. Do I need to update Airport Utility software?

I just found my way to Access Control in Airport Utility. It definitely states MAC Address Access Control - Not Enabled. What next?

Client unable to connect AP with MAC filtering

I need some help from you, I found problem that some clients cannot connect to AP( but some client can connect as normal). As I checked from logs, I see a lot of messages as below:
Nov 18 01:13:55.760: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
Nov 18 01:13:55.760: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Previous authentication no longer valid
Nov 18 01:13:55.763: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
After that I tried to reload AP and then it can connect as normal but I found the log that it roaming to another AP in the same SSID as log below:
Nov 21 08:52:12.147: %DOT11-6-ROAMED: Station 0023.68be.1c88 Roamed to 003a.99e6.6860
Nov 21 08:54:33.855: %DOT11-6-ROAMED: Station 0023.68be.1c88 Roamed to 003a.99e6.6860
Nov 21 09:04:34.495: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0023.68be.1c88 Reassociated KEY_MGMT[NONE]
Nov 21 09:04:39.097: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Sending station has left the BSS
Nov 21 09:04:39.103: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 0023.68be.1c88 Reassociated KEY_MGMT[NONE]
Nov 21 09:04:42.309: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
Nov 21 09:04:42.309: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Previous authentication no longer valid
Nov 21 09:04:42.315: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
I've check from CISCO document, this problem may be from Radio Interference, so please help to investigate and find out the root cause that why some clients cannot connect to AP at that time and how to prevent this problem occurred again.
Thank you in advance.

Hi @Krish1840 , and thanks for the reply!
Do the pages come out blank when making a copy as well?
I would suggest deleting the printer from your print system, using this document: Uninstalling the Printer Software.
Once you have deleted it, I would suggest verifying and repairing the disk permissions: About Disk Utility's Repair Disk Permissions feature.
I would also suggest running your Apple updates: OS X: Updating OS X and Mac App Store apps
After the updates, I would recommend readding the printer via OS X v10.9 Mavericks: Installing and Using the Printer on a Mac
Good luck and please let me know how it goes!
Please click “Accept as Solution " if you feel my post solved your issue, it will help others find the solution.
Click the “Kudos, Thumbs Up" on the right to say “Thanks" for helping!
Jamieson
I work on behalf of HP
"Remember, I'm pulling for you, we're all in this together!" - Red Green.

802.1x authentication with ACS 4.1 for MAC OSX

Hi,
I simply wanted to know if it's possible to have 802.1x authentication with MAC OSx on ACS Plateform 4.1?
If yes, what pre-required on ACS and MAC OSx? Methods of authentification which are recommended ?
I'm sorry, but i don't find documents which show validated test on 802.1x implementation method on ACS 4.1 with MAC OSx supplicant.
Thanks in advance
Best regards
Thanks

Yes, Refer to the below DOC
http://support.apple.com/kb/HT2717
Port settings and ACS configuration remain the same as you do it for windows based clients

OEAP Remote LAN & MAC Filtering

I am currently trying to set up the Remote LAN feature with MAC Filtering with WLC & ISE. I want to use Central Web Authentication, but the client connected to the wired port 4 of the OEAP does not get redirected. On the WLC I see the correct web redirect URL and ACL being applied (client details), but the redirect on the client itself is not taking place. The RADIUS NAC state of the wired client is also shown as "RUN" instead of the expected "CENTRAL_WEBAUTH_REQD". No anchoring is configured for the Remote LAN, since it is not supported in this WLC software release.
Anybody have any ideas? Is this supported at all? The redirect is working fine with wireless on the OEAP.
WLC 5508 7.4.110.0
AIR-OEAP602I-E-K9
ISE 1.2.0.899

You are trying web-auth redirect on rlan correct? On remote lan 44 config:
Remote LAN Configuration
Remote LAN Identifier............................ 44
Profile Name..................................... HomeOffice_RemoteLAN_Port4
Status........................................... Enabled
MAC Filtering.................................... Enabled
AAA Policy Override.............................. Enabled
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... XXX-XXXXXX
Webauth DHCP exclusion........................... Disabled
Interface........................................ homeoffice
Remote LAN ACL................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
PMIPv6 Mobility Type............................. none
Radius Servers
   Authentication................................ 10.65.30.220 1812
   Authentication................................ 10.65.30.221 1812
   Accounting.................................... 10.65.30.220 1813
   Accounting.................................... 10.65.30.221 1813
      Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
   802.1X........................................ Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
AVC Visibilty.................................... Disabled
AVC Profile Name................................. None
Flow Monitor Name................................ None
802.11u........................................ Disabled
MSAP Services.................................. Disabled

About max local MAC filtering can be register in WLC 2504 and 5508

Hi all
My customer is considering to use WLC with MAC filtering feature (use local database not external Radius). So they are concerning about maximum local MAC filtering entries that can be register on WLC2504 and WLC5508 to buy (the number of APs is about 20, but the MAC is more than 200)
I tried to search, but I could not find any specs mention it. If anyone knows, please help to answer
Rgds

I looked at this before. I want to say its maxed at 2048 regardless of the model ..
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

MAC Filtering via Radius not working

Hi Folks,
I'm having problems with MAC filtering via RADIUS. I have a combination of a local database on the controllers and remote MAC addresses provisioned on a Cisco ACS. My problem is that even when I've set the controllers to use Radius and I've configured the order to be local and then radius the controllers never sent an auth request to the Radius servers. I know that Radius can work because I have another WLAN (the guest WLAN) on the same hardware that is configured to authenticate first against the local database and then against Radius and this is working fine.
(WiSM-slot9-1) >debug aaa all enable
*Oct 09 08:01:44.518:       AVP[14] Called-Station-Id........................X.X.X.X (9 bytes)
*Oct 09 08:03:21.677: Unable to find requested user entry for 6cc26b5990e5
*Oct 09 08:03:21.677: ReProcessAuthentication previous proto 8, next proto 40000001
*Oct 09 08:03:21.677: AuthenticationRequest: 0x18cc933c
*Oct 09 08:03:21.677:   Callback.....................................0x10112bc4
*Oct 09 08:03:21.677:   protocolType.................................0x40000001
*Oct 09 08:03:21.677:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.677:   Packet contains 14 AVPs (not shown)
*Oct 09 08:03:21.678: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
*Oct 09 08:03:21.678: AuthorizationResponse: 0x38f71958
*Oct 09 08:03:21.678:   structureSize................................32
*Oct 09 08:03:21.678:   resultCode...................................-7
*Oct 09 08:03:21.678:   protocolUsed.................................0xffffffff
*Oct 09 08:03:21.678:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.678:   Packet contains 0 AVPs:
*Oct 09 08:03:21.680: Looking up local blacklist 98d6bbde785f
*Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.754: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.778: Looking up local blacklist 0013ce73a9e0
*Oct 09 08:03:21.846: Unable to find requested user entry for 6cc26b5990e5
*Oct 09 08:03:21.847: ReProcessAuthentication previous proto 8, next proto 40000001
*Oct 09 08:03:21.847: AuthenticationRequest: 0x18c6dcc4
*Oct 09 08:03:21.847:   Callback.....................................0x10112bc4
*Oct 09 08:03:21.847:   protocolType.................................0x40000001
*Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.847:   Packet contains 14 AVPs (not shown)
*Oct 09 08:03:21.847: 6c:c2:6b:59:90:e5 Returning AAA Error 'No Server' (-7) for mobile 6c:c2:6b:59:90:e5
*Oct 09 08:03:21.847: AuthorizationResponse: 0x38f71958
*Oct 09 08:03:21.847:   structureSize................................32
*Oct 09 08:03:21.847:   resultCode...................................-7
*Oct 09 08:03:21.847:   protocolUsed.................................0xffffffff
*Oct 09 08:03:21.847:   proxyState...................................6C:C2:6B:59:90:E5-00:00
*Oct 09 08:03:21.848:   Packet contains 0 AVPs:
I'm assuming thaty the line - Returning AAA Error 'No Server' - is significant but I have configured the Radius servers correctly but a packet trace shows no auth requests whatsoever from the controllers. Has anyone seen this? Anything I should be looking at?
Thanks in advance,
Shane.

The bug I ran into was CSCta53985 on the WLCs. I upgraded to 7.0 and it fixed it. The fix is available in 6.0.188. Depending on your WLC hardware, I would go to at least 7.0.116 for newer AP support, and CleanAir support.

WRT320 Mac filtering act strange!

Hi,
I have Linksys WRT320N acting as AP with Mac filtering, yesterday I noticed that even not added Mac addresses can access the network!!
The settings in Mac Filter page as following:
Enable
Prevent PCs listed below from accessing the wireless network.
MAC 01: XX:XX:XX:XX:XX:XX
MAC 02: XX:XX:XX:XX:XX:XX
when I changed it to "Permit PCs listed below to access the wireless network" no one is able to connect to the network!!!
I think the AP is not accepting the MACs I added!
I restart the router (Turning on and off) with no luck.
Firmware Version: v1.0.03
any ideas or suggestions?

Well the scenario that you explained in that case you can try the following steps:
Update your router with the latest firmware ( you can find the firmware from the cisco website )
then reset the Router and reconfigure it again.. As far as the wireless is concern this router works on a 2 different frequency's simultaneously..
If you are using 2.4GHZ frequency then make the channel width as 20MHZ only and the wireless channel as 6 , 9 or 11 and observe the connection..
If you are using 5GHZ frequency then make the channel width as 20MHZ only and the wireless channel to 149 or 161.
Now try to use Wireless MAC Filter and provide the Permit PCs listed below to access the wireless network and observe the connection...

Linksys mac filtering

I've looked all around the net and can't find an answer to this question.
Presently, my home wireless network is two PCs running Win XP (SP1) using a Linksys router (Wireless G) with MAC filtering enabled. When I get my Macbook, I'd also like it to access the internet and home network wirelessly.
My question is, do Macbooks have MAC address that I can identify and enter into the MAC filter list? Or, how does it connect?
You can imagine that Googling "Macbooks with MAC address" gives quite a strange result...

Yes the MB will have a MAC address. Simply open the Network preferences (System Preferences), select the Built-in Ethernet port and click on the Configure button. In the dialog click on the Ethernet tab. You will see listed Ethernet ID: followed by the MAC address.
To configure the Airport card simply select the Airport port from the Show dropdown menu, click on the TCP/IP tab and set the Configure IPv4 dropdown menu to DHCP and click on the Apply button. Click on the Airport tab and put a checkmark in the box labeled "Show Airport status in menubar." Click on the Apply button. Use the Options button for additional configuration options for the Airport card.
Why reward points?(Quoted from Discussions Terms of Use.)
The reward system helps to increase community participation. When a community member gives you (or another member) a reward for providing helpful advice or a solution to their question, your accumulated points will increase your status level within the community.
Members may reward you with 5 points if they deem that your reply is helpful and 10 points if you post a solution to their issue. Likewise, when you mark a reply as Helpful or Solved in your own created topic, you will be awarding the respondent with the same point values.

EA6300 Wireless MAC Filtering

I have two EA6300s. Ive set up one as the main router and it is configured with MAC filtering.
I intend to wire the second to the first and use as a wireless access point. The issue however is when the second one is put into bridge mode, under the wireless tab there is no longer the option to configure wireless mac filtering.
The result is the devices can connect to the second router (the access point one) and use internet OK, however devices which are not listed as "allowed" on the first router are able to connect and access the network. (the devices fail to get a connection if connecting to the main router - as it should be)
Is there any way to configure the EA6300 to act as an access point however still retain wireless mac filtering?
Thanks in advance

The 2ndary router itself wont be able to ping since it uses the WAN port to ping to the internet. While in wired AP mode, the WAN port isn't used.
If connected devices get internet thru the 2ndary AP, then you good to go. Just think of it as a Internet Pass Thru..

802.1x deployment with MAC filtering

Similar Messages

Maybe you are looking for