Disabling wireless clients by username

We currently have Prime Infrastructure 1.3 and we are having problems with one user.  I would like to block her by username instead of mac, but I haven't found a place to do this.  Is there anyway to do this?  We don't have ISE or anything else that would help with this yet.  Thank you for your help.

Ok, they are PED (personal devices).  We'll have to be creative. 
Firstly, there's a setting in MS AD that will allow only limited instance to authentication.  Meaning a setting for individual account where you can only log in to ONE device.  So you enable this for this user alone.  
Next, disable the wireless (temporarily).  Get the teacher to log in (wired network) and once she's logged in to the wired network then you enable the wireless again. 
The students using the wrong login credentials will not be able to log in so they'll be forced to use their own (I hope).

Similar Messages

  • Wireless Clients CWA username

    We have clients associating to a WLAN using CWA with ISE on a 5508 wlc on 7.4.121. I have noticed that under the monitor clients menu, I see clients that are authenticated, but the username field for the client is not displaying for some of these clients. It just lists the MAC. Some show the username for the client, but others do not. Any ideas?

    These devices are all apple i-devices.  Under the client detail, CCX version says not supported.  However, there are i-devices showing the username that also says not supported for CCX version.

  • 1131AG: Wireless clients randomly unreachable

    Hi,
    I have a weird issue with my 1131AG-E-K9. I set up a lab at home to get back into the topic after a few years break. My 1131AG is connected to one of the PoE ports of an ASA5505. Clients are 2 Soundbridge internet radios, my Android phone and my laptop. The wireless clients get their IP via DHCP from a central server in the wired LAN.
    Now the problem:
    The wireless clients become randomly unreachable. The DHCP leases are valid 1 hour and once a day, usually in the afternoon, the radios don't get a new IP anymore. When I monitor the LAN, I see the DHCPREQUEST, DHCPDISCOVER and DHCPOFFER packets but they don't seem to arrive in the WLAN. When I manually deassociate one arbitrary client or a completely different client, say, my laptop joins the network and gets an IP via DHCP, suddenly all clients receive the DHCPOFFER and go back active.
    So it looks like the access point would somehow start throwing away packets from the server to the radios after some time.
    I'm pretty much clueless and have googled for hours to find a solution...
    The server and the radios are talking constantly to each other, however, mostly through broadcasts (Bonjour and DLNA).
    I do not have the problem when I use a cheap crap consumer AP instead of the 1131AG, so I would at first glance exclude the ASA as source of the problems. The network is also flat, i.e. the WLAN is the same subnet as the LAN and there's no routing, no fw rules and no different VLANs involved.
    Ideas, anyone?
    -S

    Hi Sebastian, thank you for your reply! The access point is an autonomous access point AIR-AP1131-AG-E-K9, so there is no WLC involved.
    This is the config:
    ! Last configuration change at 15:16:16 UTC Mon Nov 24 2014 by sgofferj
    ! NVRAM config last updated at 15:16:21 UTC Mon Nov 24 2014 by sgofferj
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname echo
    no logging buffered
    no logging rate-limit
    no logging console
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
     server [RFC1918] auth-port 1812 acct-port 1813
    aaa group server radius rad_admin
     server [RFC1918] auth-port 1812 acct-port 1813
     cache expiry 1
     cache authorization profile admin_cache
     cache authentication profile admin_cache
    aaa group server tacacs+ tac_admin
     cache expiry 1
     cache authorization profile admin_cache
     cache authentication profile admin_cache
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting exec default start-stop group rad_acct
    aaa accounting network acct_methods start-stop group rad_acct
    aaa cache profile admin_cache
     all
    aaa session-id common
    no ip igmp snooping
    dot11 syslog
    dot11 vlan-name LAN vlan 1
    dot11 ssid Stefan_Gofferje
       vlan 1
       authentication open
       authentication key-management wpa version 2
       guest-mode
       mbssid guest-mode
       wpa-psk ascii 7 [CODE]
       no ids mfp client
    power inline negotiation injector 001d.450b.fb08
    crypto pki trustpoint TP-self-signed-2716624410
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2716624410
     revocation-check none
     rsakeypair TP-self-signed-2716624410
    crypto pki certificate chain TP-self-signed-2716624410
     certificate self-signed 01
      30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32373136 36323434 3130301E 170D3134 30373136 31393132
      35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 37313636
      32343431 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100C3E0 BCF4B199 68C92993 E4DA9F8E BFD62231 C974A8DA A39F47A7 1268E490
      F59A3BCD 123D0F8C 98B4DAC1 0E65FB70 BE42A8A5 A8CF8A75 A5287804 7B3244AC
      3AAF5F88 A0533A76 B192A6F8 88AFBADF 2D101637 E6061BC3 FE2F197B BA7E3172
      BA5FAA01 85F59AA6 3A99E2C5 4F1F1624 71657D4E 9392E228 B0FA6D3C F97EAFB5
      0F770203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
      551D1104 15301382 11656368 6F2E676F 66666572 6A652E6E 6574301F 0603551D
      23041830 1680141C 09AC7570 978D1975 1CA7A73C 5927A051 6DB28630 1D060355
      1D0E0416 04141C09 AC757097 8D19751C A7A73C59 27A0516D B286300D 06092A86
      4886F70D 01010405 00038181 000EB3FE 7EA03ABE D215F9DB 0421AC99 CACC9501
      9710D99B 3B2F155B FB7C24E1 45DA20E8 FCF7FC2D 4B794CAA 7FDF7B0E 3253A0DE
      510B067D 5832636C BE03EA47 F673A389 7488788A 329F014A 755D5D1A 92502A41
      11FAD8E8 CE1458DF 45246365 42B42549 C3370C03 7C8FEA47 5F0D4E01 1FF20773
      741A6839 A6BBB581 7CDA3262 32
      quit
    username sgofferj privilege 15 password 7 [CODE]
    bridge irb
    interface Dot11Radio0
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm
     encryption vlan 1 mode ciphers aes-ccm
     broadcast-key change 10
     ssid Stefan_Gofferje
     no short-slot-time
     speed  basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
     channel 2437
     station-role root
     no dot11 extension aironet
    interface Dot11Radio0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    interface Dot11Radio1
     no ip address
     no ip route-cache
     encryption mode ciphers aes-ccm
     encryption vlan 1 mode ciphers aes-ccm
     broadcast-key change 10
     ssid Stefan_Gofferje
     no dfs band block
     speed  basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
     channel dfs
     station-role root
     no dot11 extension aironet
    interface Dot11Radio1.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
     bridge-group 1 spanning-disabled
    interface FastEthernet0
     no ip address
     no ip route-cache
     duplex auto
     speed auto
    interface FastEthernet0.1
     encapsulation dot1Q 1 native
     no ip route-cache
     bridge-group 1
     no bridge-group 1 source-learning
     bridge-group 1 spanning-disabled
    interface BVI1
     ip address dhcp client-id FastEthernet0
     no ip route-cache
    no ip http server
    ip http authentication aaa
    ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    logging trap debugging
    logging [RFC1918]
    access-list 111 permit tcp any any neq telnet
    snmp-server view dot11view ieee802dot11 included
    snmp-server community public RO
    tacacs-server host [RFC1918] key 7 [CODE]
    radius-server attribute 32 include-in-access-req format %h
    radius-server host [RFC1918] auth-port 1812 acct-port 1813 key 7 [CODE]
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
     access-class 111 in
    line vty 0 4
     access-class 111 in
    sntp server [RFC1918]
    sntp broadcast client
    end

  • Wireless Clients cannot communicate to eachother.

    I have a 871W router that I am having trouble getting wireless clients to communicate.
    I can ping and use applications from any wired client to any wireless device. However I am unable to ping or use any other protacol from one wireless device to another.
    I have confirmed that there is no firewalls on the endpoints blocking communication.
    I have removed ACLs on the BVI1 interface but that had no affect.
    Any assistance would be greatly appreciated.
    Current configuration : 7670 bytes
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    hostname cc-fw-router
    boot-start-marker
    boot-end-marker
    logging buffered 51200 debugging
    enable secret 5 $1$crkU$2cWtWnMRjMvfo4ADb4pfi0
    aaa new-model
    aaa authentication login default local none
    aaa session-id common
    resource policy
    clock timezone PCTime -5
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    ip subnet-zero
    no ip source-route
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 10.10.20.1
    ip dhcp pool sdm-pool1
       import all
       network 10.10.20.0 255.255.255.0
       default-router 10.10.20.1
       dns-server 192.168.2.244 8.8.8.8
    ip dhcp pool xbox
       host 10.10.20.20 255.255.255.0
       hardware-address 0100.1dd8.5b52.73 ieee802
       dns-server 192.168.2.251 4.2.2.2
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name yourdomain.com
    ip name-server 4.2.2.2
    ip ssh time-out 60
    ip ssh authentication-retries 2
    crypto pki trustpoint TP-self-signed-1816499983
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1816499983
    revocation-check none
    rsakeypair TP-self-signed-1816499983
    crypto pki certificate chain TP-self-signed-1816499983
    certificate self-signed 01
      30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31383136 34393939 3833301E 170D3038 30323039 32313436
      31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38313634
      39393938 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BD37 F594F5B4 726A60BA 2C99B43C 0DE6814A 17BB53C2 A2202828 D6AA7774
      7E3FF99D 7A6B06D8 C7A52D0E 2989CF78 F5E892C0 9A9DA783 1E6C8B59 6F8B01D7
      1E631226 D372D65B 6E72CA49 D572FEA6 26131F83 32F87678 4B13735F 383D9F65
      287E2CE3 46459CAD 582DB438 6E599885 BAE48719 4AC9EB73 8BC32114 C6C637C9
      80350203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
      551D1104 1E301C82 1A63632D 66772D70 65746572 2E796F75 72646F6D 61696E2E
      636F6D30 1F060355 1D230418 30168014 391859D0 F5A8499D 8EF185B7 DC937161
      7F2B7CBA 301D0603 551D0E04 16041439 1859D0F5 A8499D8E F185B7DC 9371617F
      2B7CBA30 0D06092A 864886F7 0D010104 05000381 8100BC17 189FF9F1 01349085
      70E363E9 47AB7A9A 6F80498B D8F727DF 687CC37E 8FF3024F 30451A97 C4C81676
      C2FCA1A0 2B51D091 AA0B44E7 BA7FCA6A ED98CF5F 3EE60AD4 AB79DB09 BBE94F64
      C83FB22E 8936E561 C84AF542 DB4756E3 6EF31359 4210262A 43D2E1F7 15DD3E32
      15278156 9569D8BE 5EC38773 9A2EFB63 11C55FFD 93B4
      quit
    username user privilege 15 secret 5 $1$wVlg$THSMUBnF3f3A3o2Oh18xS/
    username ccadmin password 7 09774C051612111B180439
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key 01234567890123456789 address 96.252.99.66 no-xauth
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel
    set peer OFFICEVPN IP
    set transform-set ESP-3DES-SHA1
    match address 103
    bridge irb
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
    description $FW_OUTSIDE$$ES_WAN$
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    pppoe enable group global
    pppoe-client dial-pool-number 1
    interface Dot11Radio0
    no ip address
    encryption mode ciphers tkip
    ssid my_home
        authentication open
        authentication key-management wpa
        guest-mode
        wpa-psk ascii 7 133E1413181F0138273D15
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
    station-role root
    no dot11 extension aironet
    bridge-group 1
    bridge-group 1 spanning-disabled
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
    no ip address
    ip virtual-reassembly
    bridge-group 1
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1452
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip route-cache flow
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname verizonfios
    ppp chap password 7 01050316521109012745411A
    ppp pap sent-username verizonfios password 7 120F00051B11030A2C222B3B
    crypto map SDM_CMAP_1
    interface BVI1
    description $ES_LAN$$FW_INSIDE$
    ip address 10.10.20.1 255.255.255.0
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1200
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
    ip nat inside source static udp 10.10.20.20 88 interface Dialer0 88
    ip nat inside source static tcp 10.10.20.20 3074 interface Dialer0 3074
    ip nat inside source static udp 10.10.20.20 3074 interface Dialer0 3074
    logging 10.10.20.27
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 10.10.10.0 0.0.0.255
    access-list 1 permit 10.10.20.0 0.0.0.255
    access-list 100 remark auto generated by Cisco SDM Express firewall configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny   ip host 255.255.255.255 any
    access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 103 remark SDM_ACL Category=4
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 10.10.20.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 103 permit ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 110 deny   ip 10.10.20.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 110 deny   ip 10.10.20.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 110 permit ip 10.10.20.0 0.0.0.255 any
    access-list 120 remark Xbox
    access-list 120 permit tcp any eq 88 host 10.10.20.20 eq 88
    access-list 120 permit tcp any eq 3074 host 10.10.20.20 eq 3074
    access-list 120 permit udp any eq 3074 host 10.10.20.20 eq 3074
    dialer-list 1 protocol ip permit
    snmp-server community public RO
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 110
    control-plane
    bridge 1 protocol ieee
    bridge 1 route ip
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    line con 0
    no modem enable
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    privilege level 15
    transport input telnet ssh
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end

    see the option "client Isolation"in the Ap
    Posted by WebUser Anshul Rohilla

  • Bridge does not work for wireless clients - connecting to existing network.

    Hi - I really hope somebody can help out here, after hours of trial & error, I have finally given up
    I need to connect my Airport Extreme Base Station to my existing network. I have a linksys router (192.168.15.1) connected to my modem and this linksys router acts as DHCP server too.
    I suppose I have to use "bridge mode" for that to work. But should the linksys be connected to the AEBS using the AEBS's WAN or LAN port?
    If I use "bridge mode", then wired computers to the AEBS works fine - getting an IP from the linksys etc. BUT, the wireless clients will have a self-assigned IP and not get through to the internet. It's like the AEBS will not allow wireless clients to "get through" unless AEBS itself is handing out IP addresses.
    Page 36 of this manual ( http://manuals.info.apple.com/en/DesigningAirPort_Networks10.5-Windows.pdf ) shows the setup I want. But in the picture, it says "Ethernet WAN port" but the text says: "The Apple wireless device (in this example, a Time Capsule) uses your Ethernet network to communicate with the Internet through the Ethernet LAN port ( <--> )." I don't know which one to use, WAN or LAN - they show WAN but say LAN?
    When I set it up as "share an IP address", the AEBS status tells me "double nat" and to change from "shared IP" to "bridge mode". I do that, and everything seems fine - for the wired clients. Now the wireless clients cannot connect, Airport on the MacBook Pro just say "Connection failed" and the MacBook says "Invalid password" (translated from danish), even though I set the Airport Utlity to save the password in keyring, so it should be correct... If I disable wireless encryption, the wireless clients will connect but get a self-assigned IP, and therefor not work (cannot get online)...
    It seems the only way I can get wireless to work, is if I set AEBS up as DHCP, but then it won't be on the "same network" as the linksys (192.168.15.1), but rather on 10.0.x.x as I select. If I select 192.168.x.x within AEBS, I'm also getting some error messages, conflict/subnet thing.
    Anyway - I really hope somebody knows how to get wireless clients to get an IP address from existing ethernet when connected to the AEBS.
    Thanks!!

    I've given up and had to go back to running "Double NAT" which also reports as a "problem" within the AEBS, but I just "ignore" it so the light will always be green.
    It still ***** though, as "Double NAT" is also a reason for "Back to my Mac" not working properly, but how the ** am I supposed to avoid Double NAT when the wireless will not work in bridged mode?!

  • What are steps configure Certificate based authentication for Wireless clients with ACS 5.3?

    I need to autheticate my clients connecting via wireless.
    clients have user certificate installed on them, i need help configuring the ACS to do the authentication.
    can some one please help me with the steps.
    Thanks

    Two primary steps
    - define the trust certificates needed to verify the clients user certificates
    Users and Identity Stores > Certificate Authorities
    - change result of identity policy to select a certificate authorization profile. If have the defautl config
    Access Policies > Access Services > Default Network Access > Identity
    by default can select the "CN Username" as a result

  • How to setup Wireless Clients MAC+Active Directory based acess

    Dear Gents,
    I want to setup Wireless Clients MAC+Active Directory based acess on AP 1242 standalone Wireless series .
    Steps i have configured :
    1) SSID manger  under Open authentication : Selected with EAP.
    2) under advacned Radius : s
    MAC Address  Authentication
    MAC Addresses Authenticated by:
    Authentication Server Only
    3) Server Manger : Current server list
    added the radius ip address 10.1.200.x
    EAP  Authentication
    MAC  Authentication
    Accounting
    Priority  1:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  1: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  1: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  2:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  2:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  2:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  3:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  3:  < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    Priority  3: < NONE >10.113.253.1010.1.200.23410.8.200.1510.15.200.15
    From ACS - Radius  we have choose a Group x( named as Mac-address group )
    All the wireless Client ( laptops ) mac-address are added as add username option and enter username
    as mac-address & enter the mac-address as pwd second option of password TAB.

    Hi Akber,
    I think you didnt understood what i was trying to say here :-( No problem..I will explain my theory again.Your requirment is to autheticate user from ACS internal database (you have already added the MAC address as the username on your ACS internal database) as well as from ACS external database (in your case this is AD).
    What i was saying is when when authetication request comes to raidus server it checks its internal database and if it find a valid username and password (here it will the MAC address and password which you have entered to the ACS database) the ACS will not query the external database (in your case the AD) for authetication.
    You can not have ACS to look in to both MAC and AD database at the same time.
    Hope this clears your doubt.
    Regards
    Najaf

  • WLC 5760 - MAC Filtering wireless clients

    Hi,
    Does anyone ever deployed mac-filtering authentication to wireless clients in the WLC 5760?
    I've configured a WLAN for Mac-filtering authentication only (named it as "macauth"):
    wlan RNVDOS 4 RNVDOS
    aaa-override
    no broadcast-ssid
    client vlan RNVDOS
    mac-filtering macauth
    no security wpa
    no security wpa akm dot1x
    no security wpa wpa2
    no security wpa wpa2 ciphers aes
    session-timeout 1800
    no shutdown
    Then, below Configuration->Security->MAC Filtering I've added several MAC addresses i.e. :
    MAC Address: 88532e9ef70a  Attribute List: macauth
    Which turned out to be display in the CLI as:
    username 88532e9ef70a mac aaa attribute list macauth
    The problem is that whenever I try to associate the wireless client 88532e9ef70a, the client passes to the exclusion list.:
    Sep 16 10:54:55.603: 8853.2E9E.F70A Adding mobile on LWAPP AP  0C68.03EA.4070 (1)  1 wcm: E9E.F70A (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A  Creating WL station entry for client -  rc 0 1 wcm:
    Sep 16 10:54:55.603: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: (.t^GwtSessionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: ssionID: 0afe01fbtQ^GwH^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw00dd) was added to ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.603: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm:  ^G$h\225v^K
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:55.603: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:55.603: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:55.603: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:55.603: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Idle to AAA Pending
    Sep 16 10:54:55.603: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.604: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.604: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Idle to AAA Pending
    Sep 16 10:54:55.604: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:55.604: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:55.813: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:55.813: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:55.813: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.813: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:55.813: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:55.813: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:55.813: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:55.813: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:55.813: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.814: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:55.814: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:55.814: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:55.814: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:56.520: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:56.520: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:56.520: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.520: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:56.520: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:56.520: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:56.520: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:56.520: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.520: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.521: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.521: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.521: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.521: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:56.729: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n 10 seconds
    Sep 16 10:54:56.729: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:56.729: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.729: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: from AAA Pending to Authenticated
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:56.729: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:56.729: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:56.729: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:56.729: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.729: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.730: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.730: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.730: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.730: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:56.937: 8853.2E9E.F70A apChanged 0 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.937: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:56.937: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:56.937: 8853.2E9E.F70A STA - rates (8): 1 wcm:  140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    Sep 16 10:54:56.937: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: - vapId 4, site 'renova', interface 'RNVDOS'
    Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:56.937: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 1 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:56.937: 8853.2E9E.F70A apfProcessRadiusAssocResp (apf_80211.c: 1 wcm: 2149) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Authenticated
    Sep 16 10:54:56.937: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 18) in 10 seconds
    Sep 16 10:54:57.143: 8853.2E9E.F70A Association received from mobile on AP  0C68.03EA.4070  1 wcm: n.t^Gwseconds
    Sep 16 10:54:57.143: 8853.2E9E.F70A qos upstream policy is unknown and downstream policy is unknown 1 wcm: onds
    Sep 16 10:54:57.143: 8853.2E9E.F70A apChanged 1 wlanChanged 0 mscb ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0 1 wcm: H^Cnz^Gw  0C68.03EA.4070  f^G$h\225v^K
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN policy on MSCB. 1 wcm:  ipAddr 0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying WLAN ACL policies to client 1 wcm:  0.0.0.0, apf RadiusOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:57.143: 8853.2E9E.F70A No Interface ACL used for Wireless client in WCM(NGWC) 1 wcm: usOverride 0x0, numIPv6Addr=0
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific IPv6 override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: f^G$h\225v^K
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying local bridging Interface Policy for station  8853.2E9E.F70A  - vlan 4, interface 'RNVDOS' 1 wcm: ce 'RNVDOS'
    Sep 16 10:54:57.143: 8853.2E9E.F70A Applying site-specific override for station  8853.2E9E.F70A  - vapId 4, site 'renova', interface 'RNVDOS' 1 wcm: DOS'
    Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (8): 1 wcm:  130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
    Sep 16 10:54:57.143: 8853.2E9E.F70A STA - rates (12): 1 wcm:  130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
    Sep 16 10:54:57.144:  8853.2E9E.F70A  0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm:  site 'renova', interface 'RNVDOS'
    Sep 16 10:54:57.144: 8853.2E9E.F70A Updated location for station old AP  0C68.03EA.4070 -1, new AP  0C68.03EA.4070 -0 1 wcm: va', interface 'RNVDOS'
    Sep 16 10:54:57.144: 8853.2E9E.F70A new capwap_wtp_iif_id a45d40000000a5, sm capwap_wtp_iif_id 0 1 wcm: P  0C68.03EA.4070 -0
    Sep 16 10:54:57.144: 8853.2E9E.F70A apfProcessAssocReq (apf_80211.c: 1 wcm: 5137) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:57.144: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:57.144: 8853.2E9E.F70A
    client incoming attribute size are 0 1 wcm:   (callerId: 20) in 10 seconds
    Sep 16 10:54:57.145: 8853.2E9E.F70A Sending Assoc Response to station on BSSID  0C68.03EA.4070  (status 256) ApVapId 2 Slot 0 1 wcm: 68.03EA.4070  from Authenticated to AAA Pending
    Sep 16 10:54:57.145: 8853.2E9E.F70A apfBlacklistMobileStationEntry2 (apf_ms.c: 1 wcm: 6129) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from AAA Pending to Exclusion-list (1)
    Sep 16 10:54:57.145: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 44) in 10 seconds
    Sep 16 10:54:57.145: 8853.2E9E.F70A client is added to the exclusion list, reason 1 1 wcm: d: 44) in 10 seconds
    Sep 16 10:54:57.145: *apfReceiveTask: 1 wcm:  %APF-4-ADD_TO_BLACKLIST_REASON: Client 8853.2E9E.F70A (AuditSessionID: 0afe01fb5236e37f000000de) was added to exclusion list. Reason: 802.11 association failure 
    Sep 16 10:54:57.836: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:54:58.533: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:54:59.231: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:54:59.922: 8853.2E9E.F70A Ignoring assoc request due to mobile in exclusion list or marked for deletion  1 wcm: fbtQ^GwH^Cnz^Gw00de) was added to ^G$h\225v^K
    Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireCallback (apf_ms.c: 1 wcm: 664) Expiring Mobile!
    Sep 16 10:55:06.972: 8853.2E9E.F70A Scheduling deletion of Mobile Station: 1 wcm:   (callerId: 46) in 60 seconds
    Sep 16 10:55:06.972: 8853.2E9E.F70A apfMsExpireMobileStation (apf_ms.c: 1 wcm: 7067) Changing state for mobile  8853.2E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
    Sep 16 10:55:06.972:  8853.2E9E.F70A  0.0.0.0 START (0) Deleted mobile LWAPP rule on AP [ 0C68.03EA.4070 ] 1 wcm: 3.2E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
    Sep 16 10:55:06.972:  8853.2E9E.F70A  0.0.0.0 START (0) FastSSID for the client [ 0C68.03EA.4070 ] NOTENABLED 1 wcm: E9E.F70A  on AP  0C68.03EA.4070  from Exclusion-list (1) to Exclusion-list (2)
    Sep 16 10:55:06.972: 8853.2E9E.F70A Incrementing the Reassociation Count 1 for client (of interface RNVDOS) 1 wcm: D
    Sep 16 10:55:06.972: 8853.2E9E.F70A Clearing Dhcp state for station  ---  1 wcm:  for client (of interface RNVDOS)
    WLC1#
    WLC1#
    Kind Regards,
    Vasco

    Hi Patrick,
    Thank you for sharing your solution. It didn't solved entirely the problem but you pointed to the right direction!
    They are caused, because the system searches for an aaa authorization list, which is not configured.
    To resolve this configure the following
    aaa authorization network mac-filter local
    where mac-filter is the name you defined in the SSID.
    I've used your sugestion to create an aaa local authorization list but instead of naming it with the SSID, I've used the name of the attribute list ( macauth ) and it solved the problem:
    aaa authorization network macauth local
    username 88532e9ef70a mac aaa attribute list macauth
    wlan RNVDOS 4 RNVDOS
    client vlan RNVDOS
    mac-filtering macauth
    WLC1#sh wireless client summ
    Number of Local Clients : 1
    MAC Address    AP Name                          WLAN State              Protocol
    8853.2e9e.f70a APf872.ead7.31da                 4    UP                 11n(5)  
    Cheers,
    Vasco

  • Certificates to 802.1x LEAP ethernet and wireless clients

    Hello guys, I have just configured a radius server, active directory domain controller and certificate server on one windows 2003 pc. I have generate a self-signed digital certificate and used certificate server to generate a root certificate from it. I have exported it as a 'public key only' and saved it on the desktop of the radius server.
    1) I configure the radius server policy to accept connections from wireless and Ethernet connections using 'PEAP'
    2) And that the user must supply a user name and password from active directory. Before entering the network.
    3) I am planning on using 802.1x port security ( config-if # dot1x port-security auto )on the switch connecting to the pc
    4) i am planning on pointint the switch to server and server to switch. i will also configure the client network cards for PEAP.
    What I don't know is how will the client pc get this certificate that is on my radius server? Do they need to have a copy on their own machines for them to be able to communicate with the server? This is where I am lost
    Thanks

    Certificates are a matter of trust - if an entity trusts the root (your CA) of a user certificate, and the certificate itself has no other problems, then it automatically trusts the certificate. If your RADIUS server and user/machine certificates all came from the same root (your self-signed CA), and you put the root certificate (public key version) in the trusted list, then you are good to go.
    If you are using the Microsoft PKI services on your server (that is also your domain controller), then I'm pretty sure that your windows computers will automatically trust your root once the windows computers have been joined to your domain.
    Also - for PEAP on Windows computers, you can completely disable the client's verification of the (RADIUS) server certificate. It's great for testing, but I recommend deploying with server certificate validation enabled.
    Lastly - if you're building a lab, you may also want to investigate user and computer certificates and EAP-TLS. Windows CA with windows clients makes it very simple to deploy. Macintoshes are a pain, no matter what kind of CA you use.

  • Initial configuration of ACS 5.1 for EAP authentication for Wireless clients

    Hi,
    I have set-up with below devices :
    Wireless LAN controller 5508
    LAP 3302i
    and ACS 5.1
    since i am new in ACS 5.1 configuration , I need so information to go ahead to configure ACS 5.1.
    which EAP method to use for wireless client authentication ? what is the best practice ?
    I have gone through some cisco documents and it shows that best practice is to configure PEAP but for the same , I need to install certificate in ACS server as well in client PC. is that so ?
    I have no clear picture for this certificate ?
    from where i can get this certificate or do i need to purchase this certificate separately from cisco. how to install it in ACS server ?
    I will be obliged to get atleast initial configuration for ACS 5.1 to enable the EAP method,
    I need GUI based initial configuration for ACS 5.1
    This mentioned ACS 5.1 is installed on ACS 1121 hardware appliance.

    Hi,
    which EAP method to use for wireless client authentication ? what is the best practice ?
    -> I would advise the most widely spread EAP method, which has the best ratio security/easy to deploy: PEAP with MSCHAPv2, which is available by default by all windows machines.
    I  have gone through some cisco documents and it shows that best practice  is to configure PEAP but for the same , I need to install certificate in  ACS server as well in client PC. is that so ?
    -> You will always need to install a server certificate, however, there is no need for client certificate because the authentication is based on the MSCHAP credentials exchange, not certificate based. The only requirement on the client regarding certificates is the following.
    If you want to validate the server certificate, you have to install the server certificate under the trusted CAs of the clients.
    If you do not require to trust the server certificate, you can simply disable the option of server certificate validation.
    I have no clear picture for this certificate ?
    from  where i can get this certificate or do i need to purchase this  certificate separately from cisco. how to install it in ACS server ?
    -> The server certificate can be a simple self signed certificate that you generate and install on the ACS GUI.
    Please feel free to follow this step-by-step guide on
    PEAP under Unified Wireless Networks with ACS 5.1 and Windows 2003 Server:
    http://www.cisco.com/en/US/partner/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml or in pdf
    http://www.cisco.com/image/gif/paws/112175/acs51-peap-deployment-00.pdf.
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • WRT610N disconnects when transfering from wireless client to wired client

    based on reviews, I purchased a WRT610N.
    Have it setup with wireless N to work with my two laptops, and also have a desktop connected to one of the gig ports.
    Whenever I try to transfer any files (or access the desktop) from any of the wireless clients, the wireless radio part of the router seem to reboot itself every 5 to 10 seconds.  
    If I go from a wireless client to another wireless client, it works fine.  If I plug one of the laptops into one of the gig ports and transfer files to the desktop through the wired connection, it works fine.  But as soon as either laptop try to access the desktop through the wireless connection, the radio goes into a reboot cycle until I stop trying to access the desktop.
    Router has latest firmware.  the two laptops has a Intel 5300 and intel 4965AGN card, both running windows 7, desktop is also running windows 7.
    Used to be able to do this with a WRT150n without any issues,  upgraded to the WRT610N for the gig port speed, but now this issue.
    appreciate any assistance.

    Ok I disabled IPV6 and now it will go about a minute of transferring files before the wireless dies.
    AP Isolation is disabled.
    Even tried from within the same room, direct line of sight from the laptop to the Router, about 5 to 7 feet away.  Computer shows wireless signal at full strength.
    I don't think it's the wireless cards in the laptops because I used the exact same setup with a WRT150N and WRT54GR  and both work fine (although slower).
    Just as a sanity check, I put the WRT150N back in last night and tested it,  it would let me transfer files all night long without disconnecting.

  • E1200 Wireless Client List will not display and causes web UI to temporarily stop responding

    I picked up an E1200 and set it up successfully.  I am using wireless MAC filtering, and decided to pull up the list of connected wireless clients (Wireless >> Wireless MAC Filter >> push "Wireless Client List" button).
    When I do so, it immediately throws this back:
    Immediately after this the Web UI of the E1200 becomes inaccessible.  It still routes traffic, and the router remains pingable, but it will not allow access to the Web UI for several minutes.  The error that appears upon attempt to access the Web UI during this time window is similar to the above, but reads "Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection."
    I have tried this in Google Chrome, Firefox 4, and MSIE on two separate computers.  Each browser displays the error a bit differently (MSIE, for example, just says it can't display the page and gives no further detail) but the net results are always the same.  I have tried resetting the device to factory defaults in addition to re-downloading the firmware from the Cisco/Linksys website and installing it.  No improvement.
    I have also noted that the Log (Administration >> Log; and yes, I have it enabled) doesn't appear to be picking up anything at all.  In fact, the Security log, which supposedly (according to the Help) "displays the login information for the Router’s browser-based utility," is also blank.
    Is this a bug, or should I head back to the retailer and swap this device?

    Ok - I nailed this down, I think, and it looks like a firmware bug.
    Short version is that a factory reset cleared the issue, but during stepwise reconfiguration the problem came back.  Through a bunch of iteration I figured out that if I have the E1200's DHCP server disabled *and* have wireless clients connected to it, the problem I described appears.
    Turn the DHCP server back on and the problem goes away.  Turn it off and the problem comes back.  Turn it back on and it goes away.  You get the idea.
    If I had to pose a theory here, it's that the initial display of the Wireless Client List, which uses "IP Address" as the default sort, somehow implodes if the E1200 isn't actually assigning those IP addresses to the clients.
    When this happens it appears to crash the Web UI wholesale.  Just for grins, while the Web UI was unresponsive, I pinged the router it as before - still pingable - then ran nmap against it - no open ports found on the router.  When the Web UI is functional, though, nmap detects port 80 quite easily.  I have not timed how long it takes for the Web UI to come back up, but it is longer than 5 minutes, and I presume some sort of watchdog process has to detect that it has gone kaput and start it up again.
    Final test was to restore my saved configuration from before the factory reset (note that the saved config was done under the same firmware version, and in this config, the DHCP server is disabled).  Boom, problem.  Wait for the Web UI to come back, turn on the DHCP server.  Problem goes away.  Turn the DHCP server off.  Boom, problem comes back.
    So, there you go.
    Would be interesting if someone could verify this via a test against another E1200.  It may be worth noting that in my baseline test I was also using Manual wireless setup (vs. Wi-Fi Protected Setup), and WPA2.  Didn't make any other setting changes from the factory defaults.  I did not actually have to turn the Wireless MAC Filter on to do the test.  All one needs to do is click Enable on the Wireless MAC Filter tab, and then do *not* click Save Settings - just clicking Enable will light up the Wireless Client List button, which you can then push to get the list.  That is how I handled testing to ensure that neither specific entries, nor the Prevent/Permit setting, nor having the filter enabled in saved configuration were involved in the problem.
    Separately, no explanation for the lack of entries in the security log, but that pretty much looks like a firmware bug to me as well.

  • Who is 10.0.1.3 wireless client in my time capsule

    I use my time capsule as a router and there is this wireless client 10.0.1.3 along with all others (which are known to me), except this one.
    How can I find out who is this, or what is it?
    I have AirPort Express connected to TC too, but it shows separately in the AirPort Utility.

    OK Bob/John,
    Sorry for this long post - and thank you so much for your thoughts and time.
    It still shows that 10.0.1.3 wireless client. But now I think it could be my MacBook as the 10.0.1.3 wireless client on the TC has the same hardware address (xx:xx:xx...) as the one that shows in my System Information panel in the Network/Locations folder under the Wi-Fi Hardware (MAC) Address - see screen shots.
    Bottom line - 10.0.1.3 could be my MacBook, but is it really - I am not that tech savvy?
    If it is - where can I go and rename it so it shows my MacBook name?
    Anyway, I am going to tell you what I did if this is relevant for anything you were wondering about. Otherwise you don't have to read the statements below.
    Bob said:
    Power off the entire network....all devices....in any order that you wish when you go to bed tonight.
    In the morning, power up the modem first and let it run a minute by itself
    Power up the next device connected to the modem the same way
    Power up the next, etc.
    Keep powering up devices one at a time until the network is back up
    ------->
    I did that this morning.
    John said:
    The TC will retain the client's IP address until its DHCP lease expires, or you cycle its power.
    If you had a visitor with an iPhone or iPad or iPod Touch the TC will remember its IP address long after he's gone. Don't forget the guest network - if you enabled it, it's open.
    "Ping" that address using Terminal - if the client is no longer present you will get 100% packet loss so that was likely the source of this mystery. On the other hand if you get returns the times shown may be useful.
    -------->
    I have AU 6.1 and it shows on the TC in the Internet Tab option for "Renew DHCP Lease", but I haven't touched it yet, as I don't know what exactly to do. However, I did cycle power the modem.
    And yes, I had visitor a while back (approx. 4 weeks ago) - he has an iPad and and an iPhone too. Both were not on my WiFi though. They were on my Wi-Fi before that - around 8 weeks ago. But at that time I had a different ISP. I don't know if that's important to be mentioned.
    Guest Newtwork is disabled.
    John, I don't know how to "ping" any address in Terminal. Which address are you referring to?
    Bob is right - iPhones and iPads come and go as wireless clients depending on sleep/power off or when they are not on any Wi-Fi but on their celular network.
    John, Yes, all screen shots are from my MacBook 13" AL, late 2008 (yes, I know it is old) running on Mac Lion v.10.7.5.

  • WRT54GC will not give wireless clients IP addresses

    Hi, I'm here on a behalf of a friend. I'm working on a WRT54GC wireless router. The issue is that any wireless client wishing to connect to the router (after seeing the SSID) always fail at "Waiting for network" during the connection screen. However, wired clients are able to connect without any problems. I have updated the firmware to the latest one. No security features (WEP/WPA) are enabled. I have tried changing the channel and mode to no avail. MAC address filter is disabled. Wireless card drivers are up to date. I'd like to know what can be done to resolve this issue. Thanks in advance. -Keres

    In the non-working computer, temporarily turn off the software firewall, including Windows Firewall, and see it this helps.
    Also, give your network a unique SSID. Do not use "linksys". If you are using "linksys" you may be trying to connect to your neighbor's router. Also set "SSID Broadcast" to "enabled". This will help your computer find and lock on to your router's signal.
    If you still have trouble, in the computer, go to the wireless adapter software, and go to "Preferred Networks"  (sometimes called "Profiles" ), and delete all the networks you find.  Reboot computer.  Then return to "Preferred Networks" and re-enter your unique network SSID, and set it to "automatic login".  Reboot computer.  You should connect automatically.
    If the above does not fix your problem, download and install the latest driver for your wireless card.

  • Use TC as a wireless client and as ethernet switch hub at the same time?

    Hi!
    I have a wireless DSL-modem downstairs and my office upstairs. Since I use the TC-USB Port for my printer (to share it to my family as well) my TC is located in the office, close to the printer. Thus TC has to be configured as a wireless client and everything works fine so far,........but: When I add music (stored on TC) to my iTunes library, everything is soooo sloooow! Copying files using the route iMAC ---> DSL-modem/router ----> TC .... so sloooooow!
    Is there any way to use the ethernet ports while TC is a wireless client?
    Whenever I connect my iMac via ethernet using my current setup, it doesn't get an IP address from TC (obviously because there is no DHCP service active???). When I disable my Airport on the iMac, all connections are off-line.
    Pls. help or advise!
    Thx. Hannes

    Thanks for the response.
    Everything works fine if I use your suggested setup but I need the TC in the office, and the DSL modem downstairs. An ethernet connection is not possible this way, and the printer in the living room isn't really a nice piece of furniture
    I think, there is no possibility to use the wireless as uplink and the TC as a router/DHCP-server...
    Probably I need a server computer to handle the connection between the wireless LAN created by the DSL modem and an ethernet network managed by the TC.
    Hopefully someone has an idea/solution that fixes my problem.
    meanwhile I keep looking......

Maybe you are looking for