MAC-Adress Filtering vs. Access - Lists

Similar Messages

• Wireless Mac-Adress Filtering via Radius Bypassed

  Hello
  i have two Mac-adress based filtered WLAN configured plus one Guest SSID.
  The mac-adress filtering is linked to a radius server faut mac verification
  When i enable Fast-SSID change (globally for controller) i can switch from guest ssid to mac-filtered SSID without radius validation of my mac.
  If i disable fast-SSId change, i cannot switch between, and radius return reject for my MAC@
  the problem is i have some iPhones switching between two SSID --> i have to leav Fast-SSID change activated, if not iPhones can't connect to SSIDs ...
  ( as stated in : https://supportforums.cisco.com/docs/DOC-21729 )
  My version : 7.2.103.0
  Does anybody can confirm this problem ?
  Thanks,
  regards,
  Guillaume

  you're hitting this bug, update to fixed code.
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub00341

• How to share internet by wifi using wpa encryption or mac adress filtering ?

  Hello, (and sorry for my English)
  How can I share internet (from ethernet) to wifi, with a minimum of security : wpa encryption, mac adress filtering or hidden ssid ?
  Thanks,
  Vicx

  If I understand your question, Internet Sharing doesn't support WPA, only WEP, which is essentially worthless.

• RV180/RV180W - MAC adress filtering and IP biding

  Hello !
  First, i'm sorry for my poor english :o)
  I'm interested by the router Cisco RV180 or RV180W.
  So as to increase security, i would like to set a MAC adress access restriction for all peripherals that would be connected to the router (10 computers, 2 servers, 6 Synology NAS) : only allowed MAC adress should access to the internet and network ressources.
  Does the Cisco RV180 or RV180W have an IP to Mac biding feature and a Mac adress restriction feature ?
  If yes, how many peripherals/computers can be set ?
  For example, only 30 mac/IP adress can be allowed on my actual router and it is not enough.
  Best regards
  churchillguy

  Hi churchillguy
  The RV180W Admin guide on page 94 discusses MAC address filtering;
  Well since you cannot directly connect 30 MAC hosts directly to the built in 4 port switch, why not perform the restrictions on the managed layer 2 Small Business switch such as a SG300-52.
  Apply MAC address filters to the AP side of the RV180W as needed.
  But are you much better off loading a series of MAC address entries for allowed devices on the switch, so that the restrictions will work in the LAN switch. 
  Pretty easy to setup on the Small Business 300 or 500 series switches.
  below is a example of the switch management interface where you would add MAC filters.
  regards Dave

• Mac-adress list of manufacturers only for access points

  hello,
  i'm going to look for forbidden access points at the ports of huge network. is there any document that can show me whether a mac adress is an access point or not ?

  If you want to do rogue access point detection then you have a few options:
  1. Scan suspected ranges for port 80 servers as almost every access point has web-based configuration.
  2. Cisco has provided a list of vendor mac address who make Access Points.
  This list is found in their
  "SAFE: Wireless LAN Security in Depth - version 2"
  whitepaper
  Check the link
  "http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a008009c8b3.shtml"
  The list is at the very bottom of the whitepaper
  "Table C-7 MAC OUIs Used by Access Point Vendors"
  "Table C-7 provides a partial list of MAC OUIs used by access point vendors. This table was obtained from the aptools site at aptools.sourceforge.net."

• Enable mac address filtering vs. Access restriction

  What is the difference between enabling MAC address filtering and access restriction on my wireless router? I am curious if one is better than the other. Do they do the same thing?

  "MAC address filtering" will permit (or deny) a computer to login to your wireless network, based on it's MAC address.  For example, a person would input the MAC addresses of the three wireless computers they own, and permit only these three computers to access their wireless network.   This setting would therefore prevent computers with other MAC addresses from connecting to your wireless network.  This setting effects only wireless connections.
  "Access restriction" is primarily used to restrict or deny Internet access to a computer that is already connected to your network.  For example, you might want to permit your son's game computer to access the Internet only on Saturday and Sunday.  This setting can effect both wired and wireless connections.
  Be aware that either of these settings can be circumvented by those who are computer saavy.  For example, a MAC address can be faked.  So an intruder could gain access to your network this way, or your child could bypass the restrictions you placed on him. 
  If you want to keep intruders from accessing your wireless network, rather than using MAC address filtering, you should use WPA, or preferably WPA2 encryption, and a strong password.
  Message Edited by toomanydonuts on 07-28-2007 12:36 AM

• MAC address filters Aplication

  I am trying to configure AP 1200 MAC adress filters in allowing a list of MAC addresses, but the list is not being applied. How can I configure the restriction "deny any" in a AP 1200, so I can deny any MAC address but the ones allowed in my list.

  The below tips will be useful.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_installation_and_configuration_guide_chapter09186a008017281f.html

• AP1231 crashes when adding Mac to access list

  I have a AIR-AP1231G-E-K9 it is running c1200-k9w7-mx.123-8.JEC2/c1200-k9w7-mx.123-8.JEC2.
  I am using a Mac Access list to restrict users access to it - however when I add an address now it crashes the AP and has to be rebooted.
  Is there a limit to Mac's is this a software bug?
  thanks

  If the AP is crashing it is a bug. I would open a TAC case to have the crash analyzed to determine if there is fixed code already available.

• Mac-address access lists

  I have a single remote device attached to a 1700 sereis router. I need to ensure that if anyone disconnects the device, they can't easily plug anything elses in to the router and hence wanted to use a mac-adddress access list.
  I have created an access list as follows:
  access-list 700 permit xxxx.xxxx.xxxx 0000.0000.0000, but there appears to be no way to add this to the Fa0 interface on the router.
  Can anyone confirm if this is possible on a router or does this only work on a switch?

  No, its the Ethernet local LAN interface of a routed link so no bridging going on.
  Config below:
  interface FastEthernet0
  description Mufulira Post Office Post Office LAN
  ip address xxx.xxx.xxx.xxx 255.255.255.248
  ip access-group 120 in
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  no ip mroute-cache
  speed auto
  full-duplex
  no cdp enable
  IP access lst 120 defines just a single host allowed in to a group of servers.
  I'm having to tie everything down as much as possible as its for a remote ATM on the end of a Wireless backhaul link and our Risk people are trying to insist that we use mac address security as well. I am already running a GRE tunnel and IPSec 3DES over the routed portion of the link.

• Mac access-list

  Hi,
  I have a mac acl on a cisco aironet 1260;
  access-list 700 permit 000b.6baf.780c   0000.0000.0000
  access-list 700 permit 000b.6baf.6cfd   0000.0000.0000
  access-list 700 permit 000b.6baf.7225   0000.0000.0000
  access-list 700 permit 000b.6bb2.f090   0000.0000.0000
  access-list 700 permit 000b.6bb2.f088   0000.0000.0000
  access-list 700 permit 000b.6bb2.f089   0000.0000.0000
  access-list 700 permit 000b.6baf.756d   0000.0000.0000
  access-list 700 permit 000b.6baf.7872   0000.0000.0000
  access-list 700 permit 000b.6baf.6d04   0000.0000.0000
  Is working very good, but to administrative audit I need to get mac addresses that the dot11 interface has rejected or mac-add has attempted to connect to AP, how can I log that info?
  REGARDS

  Hi,
  Not fully sure. but the logs of the AP should mention that at some logging level. If you direct your logs to a syslog server and try with unauthorized user to connect you will see how the message looks like and you can then filter on that.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• After time capsule 7.6 Firmware upgrade I can't set up Access Control / Timed Access using mac adresses.

  After time capsule 7.6 Firmware upgrade I can't set up Access Control / Timed Access using mac adresses.
  I have a Time Capsule and an Airport express and when I change access control parameters on whatever one of those
  two devices through Airport Utility its duplicating the same setup on the other device !
  What a mess !
  I had to choose "Not Enabled" in the Access Control stup window.
  Has anyone experienced same problem ?
  Jean.

  I did downgraded firmware to 7.5.2 ...
  and the Acess Control Setting from Airport Utility is back to normal behaviour.
  Jean.

• Extended 48-bit MAC address access list

  How can I apply extended 48-bit MAC address access list on Cisco 7606?

  You can use the following example for the MAC address based access list :
  mac access-list extended CAPTURE 10
  permit any any
  vlan access-map IDS 10
  match mac address CAPTURE
  action forward capture
  vlan filter IDS vlan-list 115,119
  interface FastEthernet 3/48
  switchport
  switchport capture

• MAC access-list on switching platforms

  Please advise if I am in the worng group, and I'll move the post.
  I like implement security measures on some 3750 switches. I am looking at the configuration example of blocking ARP packets based on MAC access-lists, and wonder about the exact functionality. Does this mean that an unauthorized device will not be able to send out *any* packets? I don't want to go into too much detail about my concern. I would certainly appreciate your advice.
  Here is the link I am looking at:
  http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

  Mac based ACL can be configured on the router. You will need to use an access-list which ranges from 700-799:
  A sample statement would be access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware
  DESTINATION address>. Apply it to a vlan interface after making VLAN interface as a layer2 interface.

• How many MAC-Address entries can an access-list (AIR1200) handle

  Hi all
  I got a couple of accesspoint AP1231G with a MAC-Filter configured.
  Now I'm curios if the access-list has a maximal mac-address limitation.
  At the moment there are about 130 MAC-address and couple of clients have sometimes trouble to get connected.
  Any hints?
  Thanks,
  Norbert

  I was referring to the autonomous AP database size.
  The default size of the database for the controller is different depending on verion.

• WS-C3524-XL-EN , mac access-list , ssh ..

  does this switch CATALYST 3500 24 PORT 10/100 SWITCH WITH 2 GBIC SLOTS, ENTERPRISE EDITION with last IOS running on, support SSH , and mac access-list to secure the port with mac
  thanks

  There is IOS software for the 3550 that supports ssh. You have to have cco login with priviledges - There is a "strong cryptographic (3DES) location on CCO for that software. Go to downloads for 3550 and look for the link.