ACS - SSID - MAC-Filter separation

Similar Messages

• Compatibility 802.1X and mac-filter from ACS

  If the  clients identities and mac address are stored in the same ACS server.
  In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
  this is really a critical problem for me!
  Thanks~

  Hi,
  I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
  If my understading of your queston is  correct the answer is
  Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
  But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
  i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
  another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
  Thanks

• CSCuh08009 - WPA2-PSK mac-filter assign interface wrong after client roaming back

  Hi All,
  Does anyone here experienced the same problem in WLC 5500 controllers?
  FW: 7.4.110
  WPA2-PSK with MAC-Filter, ACS has the database of allowed host MAC addresses
  Regards,
  Mikhail Veran

  Thanks Scott, The code version is 7.6.130.0 which supports Sleeping Client feature. However, as per the docu "http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_010111.html#reference_7008E6F7D7094BA7AD39491D7361622D"
  The authentication of sleeping clients feature is not supported with Layer 2 security and web authentication enabled.
  and as you mentioned as well
  ...Sleeping client like George mentioned is a better way than adjusting the idle timer but strictly for layer 3 only...
  Sleeping Client wasn't an option in my case. That is why I was hoping that Idle Timeout may do the trick here. This is an actual case where a client with an existing wireless network just wanted to enable sleeping client feature so that their guests don't need to re-auth if their device sleeps or they go out (break) and come back after some time. Layer-3 Web Auth alone should be enough I think. Keeping L2-PSK is probably their security team's decision, as they also use the same SSID for BYOD devices and don't want nearby people/buildings to see that there is an Open Wifi available and on joining would see the Web Auth portal and company disclaimer. 
  George, I agree with Dot1X method. It can be used for the BYOD devices (separate SSID) while we can keep the Guest WLAN as L3-WebAuth only on controller (or do CWA through ISE if available). 
  Thanks for all your help.
  Rick.

• Local radius + mac-filter ?

  Hi all,
  could someone tell me how to configure a local radius plus mac-filter?
  The config with the local radius is running perfekt, but I dont't know how to configure a filter addition ?
  any ideas are welcome
  Carsten

  yes, you can do that, but you don't actually need those two first "authentication" commands. These two:
  authentication open mac-address mac_methods eap EAP_LOCAL
  authentication network-eap EAP_LOCAL mac-address mac_methods
  will overwrite these two:
  authentication open eap EAP_LOCAL
  authentication network-eap EAP_LOCAL
  so you'll just be left with:
  dot11 ssid wlan-ap
  authentication key-management wpa
  authentication open mac-address mac_methods eap EAP_LOCAL
  authentication network-eap EAP_LOCAL mac-address mac_methods
  Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.
  You can also do local AP RADIUS authentication for this too ("radius-server local")
  By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!

• 802.1x peap mschap v2 with MAC Filter + IP Address Permanent

  Hi my name is Ivan, i have an issue
  I have one cisco wlc 5508 with  ios 7.4.100 with a ssid is working with 802.1x peap mschap v2 with mac filter, and I need configure in the web page of the WLC Security > Mac Filter, a MAC and one IP Address permanent to the users.
  I have a service dhcp into the wlc to this profile.
  This configuration works fine for 3 or 4 days. At the  fifth day , my users renew the ip address, and they can not surfing to internet, because in my firewall i have a policy to the users with exactly ip address, for example.
  MAC Filter - IP Address A - UserA
  My policy say:
  PolicyUserA - Internet
  Please, i can establish an filter mac associate to one ip address permanent to one user, when service dhcp in the cisco wlc is active?
  I possible to do it?.
  How can i do it?

  Hi Ivan,
  You can not map the mac-ip address pairs on the WLC DHCP.
  The WLC has a limited DHCP server functionalities. You better to use an external DHCP server with full functionalities and then you can configure the DHCP server to provide the same IP address everytime to each client in your network.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Wireless Guest Network, iPADS and MAC Filteing

  Hello, I have a question regarding our wireless guest network and using iPADs
  Our wireless network consist of (3) 5508 WLC’s running 6.0.188. 2 internal WLC and 1 external anchor WLC for guest.  Presently we are only using one of the internal controllers for users the second is only used for fail over.  The anchor controller is set up as the DHCP server for guest. We also have a Cisco NAC Guest Server in the DMZ for guest authentication.
  We have (10) iPads that need Internet access though our guest portal. We do not want these iPADs to have to enter any credentials just pass through to the internet. We do not want any other device to be able to connect to this SSID.  Here’s my question; Getting to the Internet is no problem however when I try to set up a MAC filter just for these devices, they never receive an IP address and never get connected.  I have tried setting the filter on both the internal controller and the anchor controller identically and in about every combination I can think of.  Does anyone know how to set up a MAC filter on a guest network configured as per Cisco’s recommendation?  I also plan to use WPA2 and 802.1x once I get the MAC filter to work.  Any help would be appreciated.
  Thank You
  John

  Not all layer 2 and layer 3 security mechanisms are compatible. Refer to this doc
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080987b7c.shtml#matrix
  What security settings have you configured. The settings also need to be identical on both the internal and anchor controller.

• Why is Web Page Auth on MAC Filter Failure not working on Anchor Controller?

  Hi,
  I have implemented a Guest WLAN solution as per the recommended design from Cisco. We have two internal WiSM2 controllers providing services for Internal secure SSIDs. Both these controllers are members of a Mobility and RF management group.
  Two 5508 controllers have been installed in our DMZ for resilience and have been placed into a separate Mobility group. All controllers (internal and external) have been linked together as mobility neighbours in a full mesh and a new SSID for Web Guest traffic has been anchored to the controllers in the DMZ.
  Web page authentication works perfectly fine, but I cannot for the life of me get the MAC filtering override to work, i.e. if a MAC address is present, do not redirect to the splash page for web auth.
  I can get MAC auth working by iteself, but not with the Layer 3 option selected for web page auth on mac filter failure.
  I know I can get around this by just creating two separate SSIDs. But the business is used to just having the one SSID for all guest traffic.
  Is this a known limitation when anchoring SSIDs to controllers in the DMZ ?

  Hi Nicolas,
  I guess they changed their mind to add this fix in 7.0MR3. Now the fix will be in 7.2 release planned to be release in FEB.
  There is a documentation bug opened to add this to configuration guide :
  CSCtw48727    Document CSCts54424. Limitations webauth on mac filter fail for anchor
  Regards..Salil
  CSCtw48727    Document CSCts54424. Limitations  webauth on mac filter fail for anchor

• WLC Webauth on mac filter / Bypass

  Hi
  I am currently experimenting with the webauth 'On MAC Filter failure' feature.
  In most cases things work fine, meaning that: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not heassociates to the AP and gets the usual splashscreen. But, in some weird cases things dont happen as expected: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not he can not associated.
  I tryed to run some debugs but with little success as I dont know what I am looking for.
  As far as I can say, the problem appears with devices I used for testing (allow through MAC filter, then removed ...) and make me think of some kind of caching mechanism. (things like fastpath come into my mind).
  Did someone implement the feature successfully?
  Thanks,
  seb.

  Hi,
  Sure (debug client 00:24:d6:23:d0:58). Problem is visible around  12:26:47.612
  *pemReceiveTask: Sep 22 12:25:38.048: 2c:a8:35:cf:20:14 Sent an XID frame
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Adding mobile on LWAPP AP 00:08:30:4a:d6:50(0)
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Association received from mobile on AP 00:08:30:4a:d6:50
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific IPv6 override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying IPv6 Interface Policy for station 00:24:d6:23:d0:58 - vlan 113, interface id 11, interface 'unaids-guests'
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 apfProcessAssocReq (apf_80211.c:5122) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Idle to AAA Pending
  *aaaQueueReader: Sep 22 12:26:26.258: Unable to find requested user entry for 0024d623d058
  *aaaQueueReader: Sep 22 12:26:26.258: ReProcessAuthentication previous proto 8, next proto 40000001
  *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
  *aaaQueueReader: Sep 22 12:26:26.258: AuthenticationRequest: 0x2aeb3be8
  *aaaQueueReader: Sep 22 12:26:26.258:   Callback.....................................0x100df840
  *aaaQueueReader: Sep 22 12:26:26.258:   protocolType.................................0x40000001
  *aaaQueueReader: Sep 22 12:26:26.258:   proxyState...................................00:24:D6:23:D0:58-00:00
  *aaaQueueReader: Sep 22 12:26:26.258:   Packet contains 14 AVPs (not shown)
  *aaaQueueReader: Sep 22 12:26:26.258: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *aaaQueueReader: Sep 22 12:26:26.259: 00:24:d6:23:d0:58 Successful transmission of Authentication Packet (id 255) to 10.83.40.111:1812, proxy state 00:24:d6:23:d0:58-00:01
  *aaaQueueReader: Sep 22 12:26:26.259: 00000000: 01 ff 00 b0 00 00 00 00  00 00 00 00 00 00 00 00  ................
  *aaaQueueReader: Sep 22 12:26:26.259: 00000010: 00 00 00 00 01 0e 30 30  32 34 64 36 32 33 64 30  ......0024d623d0
  *aaaQueueReader: Sep 22 12:26:26.259: 00000020: 35 38 1e 21 30 30 2d 30  38 2d 33 30 2d 34 61 2d  58.!00-08-30-4a-
  *aaaQueueReader: Sep 22 12:26:26.259: 00000030: 64 36 2d 35 30 3a 55 4e  41 49 44 53 2d 54 45 53  d6-50:UNAIDS-TES
  *aaaQueueReader: Sep 22 12:26:26.259: 00000040: 54 2d 32 1f 13 30 30 2d  32 34 2d 64 36 2d 32 33  T-2..00-24-d6-23
  *aaaQueueReader: Sep 22 12:26:26.259: 00000050: 2d 64 30 2d 35 38 05 06  00 00 00 0d 04 06 0a 53  -d0-58.........S
  *aaaQueueReader: Sep 22 12:26:26.259: 00000060: 05 80 20 0d 47 45 2d 44  43 57 4c 43 2d 30 31 1a  ....GE-DCWLC-01.
  *aaaQueueReader: Sep 22 12:26:26.259: 00000070: 0c 00 00 37 63 01 06 00  00 00 03 02 12 0d e4 89  ...7c...........
  *aaaQueueReader: Sep 22 12:26:26.259: 00000080: d6 a8 35 ae 7e ee 86 d9  65 0e 78 f5 5d 06 06 00  ..5.~...e.x.]...
  *aaaQueueReader: Sep 22 12:26:26.259: 00000090: 00 00 0a 0c 06 00 00 05  14 3d 06 00 00 00 13 40  .........=.....@
  *aaaQueueReader: Sep 22 12:26:26.259: 000000a0: 06 00 00 00 0d 41 06 00  00 00 06 51 05 31 31 33  .....A.....Q.113
  *radiusTransportThread: Sep 22 12:26:27.262: 00000000: 03 ff 00 14 64 b5 1e e0  41 f9 08 3f 47 46 3c 2b  ....d...A..?GF<+
  *radiusTransportThread: Sep 22 12:26:27.262: 00000010: 33 38 28 a3                                       38(.
  *radiusTransportThread: Sep 22 12:26:27.262: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Sep 22 12:26:27.262: ****Enter processRadiusResponse: response code=3
  *radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Access-Reject received from RADIUS server 10.83.40.111 for mobile 00:24:d6:23:d0:58 receiveId = 0
  *radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d6:23:d0:58
  *radiusTransportThread: Sep 22 12:26:27.262: AuthorizationResponse: 0x3c4fd8b4
  *radiusTransportThread: Sep 22 12:26:27.262:    structureSize................................32
  *radiusTransportThread: Sep 22 12:26:27.262:    resultCode...................................-4
  *radiusTransportThread: Sep 22 12:26:27.262:    protocolUsed.................................0xffffffff
  *radiusTransportThread: Sep 22 12:26:27.262:    proxyState...................................00:24:D6:23:D0:58-00:00
  *radiusTransportThread: Sep 22 12:26:27.262:    Packet contains 0 AVPs:
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying new AAA override for station 00:24:d6:23:d0:58
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58
                                                                                                          source: 2, valid bits: 0x0
          qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
                                                                                                                                                  vlanIfName: '', aclName: ''
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting AAA Override struct for mobile
          MAC: 00:24:d6:23:d0:58, source 2
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting new RADIUS override into chain for station 00:24:d6:23:d0:58
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58
                                                                                                          source: 2, valid bits: 0x0
          qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
                                                                                                                                                  vlanIfName: '', aclName: ''
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Initializing policy
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3for this client
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Not Using WMM Compliance code qosCap 00
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfMsAssoStateInc
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from AAA Pending to Associated
  *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
  *apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 Sending Assoc Response to station on BSSID 00:08:30:4a:d6:50 (status 0) ApVapId 3 Slot 0
  *apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 apfProcessRadiusAssocResp (apf_80211.c:2153) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Associated
  *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
  *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule
  *apfReceiveTask: Sep 22 09:31:33.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
    type = Airespace AP - Learn IP address
    on AP 00:08:30:4a:d6:50, slot 0, interface = 13, QOS = 0
    ACL Id = 255, Jumbo F
  *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 113, IPv6 intf id = 11
  *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
  *pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
  *pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 Sent an XID frame
  *spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Received Idle-Timeout from AP 00:08:30:4a:d6:50, slot 0 for STA 00:24:d6:23:d0:58
  *spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 4, reasonCode 4
  *spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station:  (callerId: 30) in 1 seconds
  *osapiBsnTimer: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Disassociated
  *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sent Deauthenticate to mobile on BSSID 00:08:30:4a:d6:50 slot 0(caller apf_ms.c:5094)
  *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sending Accounting request (2) for station 00:24:d6:23:d0:58
  *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsAssoStateDec
  *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Disassociated to Idle
  *apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:08:30:4a:d6:50]
  *apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 Deleting mobile on AP 00:08:30:4a:d6:50(0)
  *pemReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 Removed NPU entry.
  *aaaQueueReader: Sep 22 12:31:04.526: Unable to find requested user entry for 2ca835cf2014
  *aaaQueueReader: Sep 22 12:31:04.526: ReProcessAuthentication previous proto 8, next proto 40000001
  *aaaQueueReader: Sep 22 12:31:04.526: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
  *radiusTransportThread: Sep 22 12:31:05.530: 00000000: 03 00 00 14 cd cd cd 40  48 d9 c9 26 10 81 e3 5b  .......@H..&...[
  *radiusTransportThread: Sep 22 12:31:05.530: 00000010: b0 35 95 73                                       .5.s
  *radiusTransportThread: Sep 22 12:31:05.530: ****Enter processIncomingMessages: response code=3
  *radiusTransportThread: Sep 22 12:31:05.530: ****Enter processRadiusResponse: response code=3
  Thanks,
  Seb.

• WRT54G2 V.1 - Mac Filter List gone - Security Hole ?

  Help,
  I was trying to block some unwanted users using Mac Filter but for unknown reason, after I succeed, my Mac Filter List gone empty. It happened several times. First I let it happened some times so I'm sure what really happened there.
  My config is let wireless users able to access the web server by Http. I use WPA2 Personal with TKIP-AES. I let my SSID broadcast, and I let any users who need access to the network know/use the secret key.
  I thought it shouldn't be mattered since I protect my Linksys Web Server use good password. But I was wrong. And when 'it' happened (just before MAC Address gone empty and blocked users then able to connected to my network), uknown device got connected to the network first.
  It happened several times as I said before, but the last one hit me surely that my config, Mac Filter list, anyhow, can get erased by something/someone if I keep this way. So I decided to change the config and not let the wireless users to have access to my linksys web server.
  I change from Http to Https. I disabled wireless users to having access to the web server. And to make me comfort I activate AP Isolation too. I use Access (internet) Restriction rather than Mac Filter because it is more comfortable to me as I can create policies.
  Anyone have same experience ? Expert explanation would be a great appreciate.
  Oh yes. I don't have any config change since I use my new configuration. That's what I can tell. Thanks.

  to a determined hacker, MAC address filtering is a trivial security block to overcome (as you seem to have found out). You would be better, as Gandalf said, to disable SSID broadcast, and provide the SSID and WPA passphrase to anyone that you want to allow to connect to your network.
  Tomato 1.25vpn3.4 (SgtPepperKSU MOD) on a Buffalo WHR-HP-G54
  D-Link DSM-320 (Wired)
  Wii (Wireless) - PS3 (Wired), PSP (Wireless) - XBox360 (Wired)
  SonyBDP-S360 (Wired)
  Linksys NSLU2 Firmware Unslung 6.10 Beta unslung to a 2Gb thumb, w/1 Maxtor OneTouch III 200Gb
  IOmega StorCenter ix2 1TB NAS
  Linksys WVC54G w/FW V2.12EU
  and assorted wired and wireless PCs and laptops

• Have to disable Wireless MAC filter to see other computers

  I have two Windows 7 machines connected by wireless-N to my WAG160N. I frequently find that, although both computers can see the network, they can't see each other. I can temporarily solve this problem by disabling, and then re-enabling, the Wireless MAC filter. Any suggestions welcome
  Solved!
  Go to Solution.

  Unfortunately just leaving MAC filtering off doesn't help. I have to turn it off and then it on again every time. As soon as I turn it on again the other computer becomes visible. Here are my settings:
  Encapsulation: RFC 2364 PPPoA
  Multiplexing: VC
  QoS Type: UBR
  Autodetect: Sisable
  Virtual Circuit: 8 VPI, 48 VCI
  DSL Molulation: Multimode
  DHCP Server: Enable
  DDNS Service: Disable
  MAC Address Clone: Disable
  NAT: Enable
  RIP: Disable
  Wireless Configuration: Manual
  Network Mode: Mixed
  Radio Band: Standard - 20 MhZ Channel
  Wide Channel: 4
  Standard Channel 11-2.462 GHz
  SSID Broadcast: Enable
  Security Mode: WPA2-Personal
  Encription: TKIP or AES
  Pre-Shared key: <something long>
  Key renewal: 3600 seconds
  AP isolation: Disable
  SPI Firewall Protection: Enable
  Filters: nothing checked
  Blok WAN Requests: Block Anonymous Internet Requests
  UPnP: Enable
  Management via WLAN: Enable
  IGMP Proxy: Disable
  Firmware Version: V1.00.15

• WEP + Radius Mac filter

  I am setup a cisco WLC in ver 4.0
  I setup a 40bits static wep key for user to use. it is work till i add the mac address filter. it can work with local mac filter. If I want to use Cisco ACS to auth mac address, the controller also have this message
  RADIUS server "IP Address":1645 failed to respond to request (ID 24) for client "MAC Address: / user 'unknown'
  Is it have something problem in the WLC, I am following the configure sample to config both of the WLC and ACS.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
  thank you very much

  "RADIUS server "IP Address":1645 failed to respond to request (ID 24) for client "MAC Address" - Check there is connectivity between WLC and ACS. Also, check whether the username credentials are correctly given.

• MAC filter for wireless security????

  I have hooked up my wireless router and had trouble with the security part.  I am now set up with the wireless security disabled but the MAC filter enabled and my wireless computers mac number entered and all is working.  will the MAC filter work as security for my wireless network.  thanks tdm

  MAC address filtering is considered a very low level of security.  It will keep honest people from accidentally logging into your network, but that is about it.  MAC addresses are transmitted wirelessly when you use your router.  Anyone can monitor your transmissions, so it is easy to learn a working MAC address.  They can then fake the MAC address and loggin to your network whenever you are not connected.
  Also, when your transmissions are not encrypted, anyone within range can monitor your wireless transmissions, even without logging into your network.  With a good antenna, your transmissions can probably be picked up for at least half a mile from your home.  So someone could monitor the web sites you visit, your email, etc., and in some cases, your passwords.
  You really should setup wireless security on your network.
  Here are my tips for setting up wireless security:
  To set up wireless security, you must use a computer that is wired to the router.
  Where to find the router settings: The router's login password is usually on one of the "Administration" pages. The other settings are all found in the "Wireless" section of the router's setup pages, located at 192.168.1.1
  First, give your router a unique SSID. Don't use "linksys".
  Make sure "SSID Broadcast" is set to "enabled".
  Next, leave the router at its default settings (except for the unique SSID), and then use your pc to connect wirelessly to the router. Test your wireless Internet connection and make sure it is working correctly. You must have a properly working wireless connection before setting up wireless security.
  To implement wireless security, you need to do one step at a time, then verify that you can still connect your wireless computer to the router.
  Next, encrypt your wireless system using the highest level of encryption that all of your wireless devices will support. Common encryption methods are:
  WEP - poor (see note below)
  WPA (sometimes called PSK, or WPA with TKIP) - good
  WPA2 (sometimes called PSK2, or WPA with AES) - best
  WPA and WPA2 sometimes come in versions of "personal" and "enterprise". Most home users should use "personal". Also, if you have a choice between AES and TKIP, and your wireless equipment is capable of both, choose AES. With any encryption method, you will need to supply a key (sometimes called a "password" ).
  The wireless devices (computers, printers, etc.) that you have will need to be set up with the SSID, encryption method, and key that matches what you entered in the router.
  Retest your system and verify that your wireless Internet connection is still working correctly.
  And don't forget to give your router a new login password.
  Picking Passwords (keys): You should never use a dictionary word as a password. If you use a dictionary word as a password, even WPA2 can be cracked in a few minutes. When you pick your login password and encryption key (or password or passphrase) you should use a random combination of capital letters, small letters, and numbers, but no spaces. A login password, should be 12 characters or more. WPA and WPA2 passwords should be at least 24 characters. Note: Your key, password, or passphrase must not have any spaces in it.
  Most home users should have their routers set so that "remote management" of the router is disabled. If you must have this option enabled, then your login password must be increased to a minumum of 24 random characters.
  One additional issue is that Windows XP requires a patch to run WPA2. Go to Microsoft Knowledge base, article ID=917021 and it will direct you to the patch.
  Sadly, the patch is not part of the automatic Windows XP updates, so lots of people are missing the patch.
  Note:
  WEP is no longer recommended. The FBI has demonstrated that WEP can be cracked in just a few minutes using software tools that are readily available over the Internet. Even a long random character password will not protect you with WEP. You should be using WPA or preferably WPA2 encryption.
  Message Edited by toomanydonuts on 01-16-2008 03:38 AM

• How do i set up my kindle to receive audio books? Is there a MAC filter? it must be disabled and I dont know how to do this

  how do i set up my kindle to receive audio books? Is there a MAC filter? it must be disabled and I dont know how to do this

  By default, any type of MAC filtering is disabled on the AirPort base stations ... unless, of course, you or someone else enabled it.
  If it is enabled, to disable it, you would use the AirPort Utility.
  AirPort Utility > Select the AirPort > Manual Setup > AirPort > Access Control tab > MAC Address Access Control: Not Enabled

• Problem with connetction to wrt54g2 via wireless connection with WPA/WPA2 & wireless MAC filter

  Hello,
  I'm Alexey from Novosibirsk, Russia.
  I have a problem with connection to wrt54g2 from my DELL D630 notebook via wireless connection. When I setup WPA/WPA2 in wireless security and wireless MAC filter I can't connect from notebook to WRT - in Windows I see that dynamic IP address from WRT is not assigned. When I switch off security mode to disable always OK, but I need a wireless security between DELL and WRT.
  Connection via cable Ethernet port is OK.
  Can You help me?

  Have you tried the different laptop...?
  Download 1.71 MB the firmware for WRT54G2 v1 and reflash the router's firmware.After reflashing/upgrading the router's firmware,reset the router for 30 seconds and reconfigure the router from scratch. 

• Wireless MAC filter can not be active to connect to WIFI?

  I use a Linksys router with WEP security and a Wireless MAC filter. When I turned off WEP I was unable to connect to the router with my iphone 3g but when I enabled WEP and turned off the MAC filter I connected right away.
  Has anybody else seen this or has anyone successfully connected to a router with a MAC filter?
  Thanks

  I have no problems connecting to a router with MAC filtering enabled... I would just double check that you entered the correct MAC address into your router (Settings>General>About>Wi-Fi Address) and make sure the permissions are set correctly for that MAC address (if applicable)...