Mac Filter Wildcards? WLC

I'm deploying several hundred handheld scanners and I dont want to create a mac filter for everyone, however that are all the same manufacturer, and that manufacturer only has one mac prefix, is there a way to just put the mac prefix in?  I'm using 5508's running 7.0.116.0.
Help files and searches turned up nothing.
Thanks.

My problem is the opposite. I would like to ban / disable mac address begining to a given manufacturer because:
     - my wireless clients are of the same manufacturer
     - someone is scanning repeatly during months with hundreds of different fake mac address -but all of them begining with 00:0e:8e- and they are highly populating the excluded client table.
I suppose there is no solution for that until now
Thanks,
Jose

Similar Messages

  • Compatibility 802.1X and mac-filter from ACS

    If the  clients identities and mac address are stored in the same ACS server.
    In WLC,could a wlan be configured layer2 security with both 802.1x and mac-filtering?
    this is really a critical problem for me!
    Thanks~

    Hi,
    I am assuming  you are asking if you configure a x  mac of wlan client in MAC filer and the same as user naem in 802.1x ACS database as user name , could you configure it ? what is the effect?
    If my understading of your queston is  correct the answer is
    Any wlan client will not be allowed to  associate to the network  unless a match is  seen in mac filter in wlc.
    But once that is done  it will not able to access  network resources  unless   802.1x authentication is  completed by ACS  against the wlan clients user name which is again a mac  address of client.
    i dont see a value for doing this. except that you will block  unnecessary authentication request getting to ACS  by filtering it in the 1st instance.
    another scenario is  if you are using mac filtering also on ACS , it should be preceeded by mac filtering and then ACS authentication , as above as far as  ssequence goes hence the same logic applies here.
    Thanks

  • WLC Webauth on mac filter / Bypass

    Hi
    I am currently experimenting with the webauth 'On MAC Filter failure' feature.
    In most cases things work fine, meaning that: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not heassociates to the AP and gets the usual splashscreen. But, in some weird cases things dont happen as expected: user arrives in SSID coverage, if his MAC is registered in our radius he is allowed through, if not he can not associated.
    I tryed to run some debugs but with little success as I dont know what I am looking for.
    As far as I can say, the problem appears with devices I used for testing (allow through MAC filter, then removed ...) and make me think of some kind of caching mechanism. (things like fastpath come into my mind).
    Did someone implement the feature successfully?
    Thanks,
    seb.

    Hi,
    Sure (debug client 00:24:d6:23:d0:58). Problem is visible around  12:26:47.612
    *pemReceiveTask: Sep 22 12:25:38.048: 2c:a8:35:cf:20:14 Sent an XID frame
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Adding mobile on LWAPP AP 00:08:30:4a:d6:50(0)
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Association received from mobile on AP 00:08:30:4a:d6:50
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific IPv6 override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying IPv6 Interface Policy for station 00:24:d6:23:d0:58 - vlan 113, interface id 11, interface 'unaids-guests'
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 apfProcessAssocReq (apf_80211.c:5122) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Idle to AAA Pending
    *aaaQueueReader: Sep 22 12:26:26.258: Unable to find requested user entry for 0024d623d058
    *aaaQueueReader: Sep 22 12:26:26.258: ReProcessAuthentication previous proto 8, next proto 40000001
    *apfMsConnTask_4: Sep 22 12:26:26.258: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *aaaQueueReader: Sep 22 12:26:26.258: AuthenticationRequest: 0x2aeb3be8
    *aaaQueueReader: Sep 22 12:26:26.258:   Callback.....................................0x100df840
    *aaaQueueReader: Sep 22 12:26:26.258:   protocolType.................................0x40000001
    *aaaQueueReader: Sep 22 12:26:26.258:   proxyState...................................00:24:D6:23:D0:58-00:00
    *aaaQueueReader: Sep 22 12:26:26.258:   Packet contains 14 AVPs (not shown)
    *aaaQueueReader: Sep 22 12:26:26.258: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Sep 22 12:26:26.259: 00:24:d6:23:d0:58 Successful transmission of Authentication Packet (id 255) to 10.83.40.111:1812, proxy state 00:24:d6:23:d0:58-00:01
    *aaaQueueReader: Sep 22 12:26:26.259: 00000000: 01 ff 00 b0 00 00 00 00  00 00 00 00 00 00 00 00  ................
    *aaaQueueReader: Sep 22 12:26:26.259: 00000010: 00 00 00 00 01 0e 30 30  32 34 64 36 32 33 64 30  ......0024d623d0
    *aaaQueueReader: Sep 22 12:26:26.259: 00000020: 35 38 1e 21 30 30 2d 30  38 2d 33 30 2d 34 61 2d  58.!00-08-30-4a-
    *aaaQueueReader: Sep 22 12:26:26.259: 00000030: 64 36 2d 35 30 3a 55 4e  41 49 44 53 2d 54 45 53  d6-50:UNAIDS-TES
    *aaaQueueReader: Sep 22 12:26:26.259: 00000040: 54 2d 32 1f 13 30 30 2d  32 34 2d 64 36 2d 32 33  T-2..00-24-d6-23
    *aaaQueueReader: Sep 22 12:26:26.259: 00000050: 2d 64 30 2d 35 38 05 06  00 00 00 0d 04 06 0a 53  -d0-58.........S
    *aaaQueueReader: Sep 22 12:26:26.259: 00000060: 05 80 20 0d 47 45 2d 44  43 57 4c 43 2d 30 31 1a  ....GE-DCWLC-01.
    *aaaQueueReader: Sep 22 12:26:26.259: 00000070: 0c 00 00 37 63 01 06 00  00 00 03 02 12 0d e4 89  ...7c...........
    *aaaQueueReader: Sep 22 12:26:26.259: 00000080: d6 a8 35 ae 7e ee 86 d9  65 0e 78 f5 5d 06 06 00  ..5.~...e.x.]...
    *aaaQueueReader: Sep 22 12:26:26.259: 00000090: 00 00 0a 0c 06 00 00 05  14 3d 06 00 00 00 13 40  .........=.....@
    *aaaQueueReader: Sep 22 12:26:26.259: 000000a0: 06 00 00 00 0d 41 06 00  00 00 06 51 05 31 31 33  .....A.....Q.113
    *radiusTransportThread: Sep 22 12:26:27.262: 00000000: 03 ff 00 14 64 b5 1e e0  41 f9 08 3f 47 46 3c 2b  ....d...A..?GF<+
    *radiusTransportThread: Sep 22 12:26:27.262: 00000010: 33 38 28 a3                                       38(.
    *radiusTransportThread: Sep 22 12:26:27.262: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Sep 22 12:26:27.262: ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Access-Reject received from RADIUS server 10.83.40.111 for mobile 00:24:d6:23:d0:58 receiveId = 0
    *radiusTransportThread: Sep 22 12:26:27.262: 00:24:d6:23:d0:58 Returning AAA Error 'Authentication Failed' (-4) for mobile 00:24:d6:23:d0:58
    *radiusTransportThread: Sep 22 12:26:27.262: AuthorizationResponse: 0x3c4fd8b4
    *radiusTransportThread: Sep 22 12:26:27.262:    structureSize................................32
    *radiusTransportThread: Sep 22 12:26:27.262:    resultCode...................................-4
    *radiusTransportThread: Sep 22 12:26:27.262:    protocolUsed.................................0xffffffff
    *radiusTransportThread: Sep 22 12:26:27.262:    proxyState...................................00:24:D6:23:D0:58-00:00
    *radiusTransportThread: Sep 22 12:26:27.262:    Packet contains 0 AVPs:
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying new AAA override for station 00:24:d6:23:d0:58
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58
                                                                                                            source: 2, valid bits: 0x0
            qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
                                                                                                                                                    vlanIfName: '', aclName: ''
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Applying site-specific override for station 00:24:d6:23:d0:58 - vapId 3, site 'UNAIDS-HQ', interface 'unaids-guests'
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting AAA Override struct for mobile
            MAC: 00:24:d6:23:d0:58, source 2
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Inserting new RADIUS override into chain for station 00:24:d6:23:d0:58
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values for station 00:24:d6:23:d0:58
                                                                                                            source: 2, valid bits: 0x0
            qosLevel: -1, dscp: 0xffffffff, dot1pTag: 0xffffffff, sessionTimeout: -1
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Override values (cont..) dataAvgC: -1, rTAvgC: -1, dataBurstC: -1, rTimeBurstC: -1
                                                                                                                                                    vlanIfName: '', aclName: ''
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3for this client
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:08:30:4a:d6:50 vapId 3 apVapId 3
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfMsAssoStateInc
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from AAA Pending to Associated
    *apfReceiveTask: Sep 22 12:26:27.263: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 Sending Assoc Response to station on BSSID 00:08:30:4a:d6:50 (status 0) ApVapId 3 Slot 0
    *apfReceiveTask: Sep 22 12:26:27.264: 00:24:d6:23:d0:58 apfProcessRadiusAssocResp (apf_80211.c:2153) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Associated
    *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule
    *apfReceiveTask: Sep 22 09:31:33.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 00:08:30:4a:d6:50, slot 0, interface = 13, QOS = 0
      ACL Id = 255, Jumbo F
    *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 113, IPv6 intf id = 11
    *apfReceiveTask: Sep 22 12:26:29.211: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: Sep 22 12:26:29.212: 00:24:d6:23:d0:58 Sent an XID frame
    *spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Received Idle-Timeout from AP 00:08:30:4a:d6:50, slot 0 for STA 00:24:d6:23:d0:58
    *spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 4, reasonCode 4
    *spamApTask4: Sep 22 12:26:46.641: 00:24:d6:23:d0:58 Scheduling deletion of Mobile Station:  (callerId: 30) in 1 seconds
    *osapiBsnTimer: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
    *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Associated to Disassociated
    *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sent Deauthenticate to mobile on BSSID 00:08:30:4a:d6:50 slot 0(caller apf_ms.c:5094)
    *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 Sending Accounting request (2) for station 00:24:d6:23:d0:58
    *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsAssoStateDec
    *apfReceiveTask: Sep 22 12:26:47.611: 00:24:d6:23:d0:58 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:24:d6:23:d0:58 on AP 00:08:30:4a:d6:50 from Disassociated to Idle
    *apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:08:30:4a:d6:50]
    *apfReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 Deleting mobile on AP 00:08:30:4a:d6:50(0)
    *pemReceiveTask: Sep 22 12:26:47.612: 00:24:d6:23:d0:58 0.0.0.0 Removed NPU entry.
    *aaaQueueReader: Sep 22 12:31:04.526: Unable to find requested user entry for 2ca835cf2014
    *aaaQueueReader: Sep 22 12:31:04.526: ReProcessAuthentication previous proto 8, next proto 40000001
    *aaaQueueReader: Sep 22 12:31:04.526: apfVapRadiusInfoGet: WLAN(3) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *radiusTransportThread: Sep 22 12:31:05.530: 00000000: 03 00 00 14 cd cd cd 40  48 d9 c9 26 10 81 e3 5b  .......@H..&...[
    *radiusTransportThread: Sep 22 12:31:05.530: 00000010: b0 35 95 73                                       .5.s
    *radiusTransportThread: Sep 22 12:31:05.530: ****Enter processIncomingMessages: response code=3
    *radiusTransportThread: Sep 22 12:31:05.530: ****Enter processRadiusResponse: response code=3
    Thanks,
    Seb.

  • 802.1x peap mschap v2 with MAC Filter + IP Address Permanent

    Hi my name is Ivan, i have an issue
    I have one cisco wlc 5508 with  ios 7.4.100 with a ssid is working with 802.1x peap mschap v2 with mac filter, and I need configure in the web page of the WLC Security > Mac Filter, a MAC and one IP Address permanent to the users.
    I have a service dhcp into the wlc to this profile.
    This configuration works fine for 3 or 4 days. At the  fifth day , my users renew the ip address, and they can not surfing to internet, because in my firewall i have a policy to the users with exactly ip address, for example.
    MAC Filter - IP Address A - UserA
    My policy say:
    PolicyUserA - Internet
    Please, i can establish an filter mac associate to one ip address permanent to one user, when service dhcp in the cisco wlc is active?
    I possible to do it?.
    How can i do it?

    Hi Ivan,
    You can not map the mac-ip address pairs on the WLC DHCP.
    The WLC has a limited DHCP server functionalities. You better to use an external DHCP server with full functionalities and then you can configure the DHCP server to provide the same IP address everytime to each client in your network.
    HTH
    Amjad
    Rating useful replies is more useful than saying "Thank you"

  • Wireless Guest Network, iPADS and MAC Filteing

    Hello, I have a question regarding our wireless guest network and using iPADs
    Our wireless network consist of (3) 5508 WLC’s running 6.0.188. 2 internal WLC and 1 external anchor WLC for guest.  Presently we are only using one of the internal controllers for users the second is only used for fail over.  The anchor controller is set up as the DHCP server for guest. We also have a Cisco NAC Guest Server in the DMZ for guest authentication.
    We have (10) iPads that need Internet access though our guest portal. We do not want these iPADs to have to enter any credentials just pass through to the internet. We do not want any other device to be able to connect to this SSID.  Here’s my question; Getting to the Internet is no problem however when I try to set up a MAC filter just for these devices, they never receive an IP address and never get connected.  I have tried setting the filter on both the internal controller and the anchor controller identically and in about every combination I can think of.  Does anyone know how to set up a MAC filter on a guest network configured as per Cisco’s recommendation?  I also plan to use WPA2 and 802.1x once I get the MAC filter to work.  Any help would be appreciated.
    Thank You
    John

    Not all layer 2 and layer 3 security mechanisms are compatible. Refer to this doc
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080987b7c.shtml#matrix
    What security settings have you configured. The settings also need to be identical on both the internal and anchor controller.

  • CSCuh08009 - WPA2-PSK mac-filter assign interface wrong after client roaming back

    Hi All,
    Does anyone here experienced the same problem in WLC 5500 controllers?
    FW: 7.4.110
    WPA2-PSK with MAC-Filter, ACS has the database of allowed host MAC addresses
    Regards,
    Mikhail Veran

    Thanks Scott, The code version is 7.6.130.0 which supports Sleeping Client feature. However, as per the docu "http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration-guide/b_cg76/b_cg76_chapter_010111.html#reference_7008E6F7D7094BA7AD39491D7361622D"
    The authentication of sleeping clients feature is not supported with Layer 2 security and web authentication enabled.
    and as you mentioned as well
    ...Sleeping client like George mentioned is a better way than adjusting the idle timer but strictly for layer 3 only...
    Sleeping Client wasn't an option in my case. That is why I was hoping that Idle Timeout may do the trick here. This is an actual case where a client with an existing wireless network just wanted to enable sleeping client feature so that their guests don't need to re-auth if their device sleeps or they go out (break) and come back after some time. Layer-3 Web Auth alone should be enough I think. Keeping L2-PSK is probably their security team's decision, as they also use the same SSID for BYOD devices and don't want nearby people/buildings to see that there is an Open Wifi available and on joining would see the Web Auth portal and company disclaimer. 
    George, I agree with Dot1X method. It can be used for the BYOD devices (separate SSID) while we can keep the Guest WLAN as L3-WebAuth only on controller (or do CWA through ISE if available). 
    Thanks for all your help.
    Rick.

  • ACS - SSID - MAC-Filter separation

    Hello,
    I’m trying to setup following environment:
    WLC 5508 (OS 7.5)
    Up to 60 Access Points 1602I
    Two SSID’s are required
    WPA/WPA2 Authentication is required
    MAC-Filter should also be used
    I’ve done the following configuration:
    LAN Enviroment works
    WLC Setup works also with all Access Points
    SSID with WPA/WPA2 Authentication work
    Clients can connect to each SSID
    For the MAC Filter Setup I’m going to use an ACS 5.4 and an Active Directory. The ACS has successfully joined the Active Directory and at the active Directory I’ve create to groups:
    CN=SSID1,OU=Authentication,DC=global,DC=lan
    CN=SSID2,OU=Authentication,DC=global,DC=lan
    These two groups I’ve selected after I joined the Active Directoy. I used the Active Directory (AD1) as an Identity group, which is used by a Network Access based Access Service. In my second step, I configured the WLC to use Radius authentication for MAC-Filter and everything works.
    But now I’ve found my problem:
    The ACS Server like work top down and first rule matches:
    If a MAC is member of group SSID1 and the Client wants to join SSID 1 it works
    If a MAC is member of group SSID2 and the Client wants to join SSID 1 it works, too. Because the rules are checkt top down first match. And the ACS will find the MAC in group SSID.
    Is it possible to check at the ACS which SSID send the MAC-Filter request? or
    Is it possible to get the ssid value from the Active Directory to use this value in my policies?
    I would like to restrict the MACs from group SSID1 to SSID 1 and the MACs from group SSID to SSID 2.
    Thanks and kind regards
    Kai

    Hello,
    I hope this will help you. The username and password will be the MAC-Address of your client wirelss device, e.g.
    Username:  aabbccddeeff
    Password:  aabbccddeeff
    You've to check, in which kind you have to send the MAC Address (aa:bb:cc:dd:ee:ff, aabbcc-ddeeff, AA:BB:CC:DD:EE:FF, and so on)
    The attachments will show you a sample ACS Access Policy and the "caller-station-id" configuration and the configuration of a SSID from a Cico WLC 5508.

  • Howto refresh MAC-filter list in WCS ?

    Hello
    We?re using WLC4402 with WCS 4.
    We are using MAC filters with WPA to limit which clients can connect.
    My problem is this:
    I think it is smoother to insert new MAC filters through the WLC web interface instead of using the WCS.
    When I do this the new MAC filters I put in through the WLC web interface will not show up in the WCS, how can I refresh the WCS to make the new MAC filters show up there ?
    /Dan

    Make sure the controller is using version in Release 3.2.78.0.If not upgrade the controller so that updates are sent properly to wCS .Max number of mac filter that could be configured is 512 on WCS 2.2

  • WEP + Radius Mac filter

    I am setup a cisco WLC in ver 4.0
    I setup a 40bits static wep key for user to use. it is work till i add the mac address filter. it can work with local mac filter. If I want to use Cisco ACS to auth mac address, the controller also have this message
    RADIUS server "IP Address":1645 failed to respond to request (ID 24) for client "MAC Address: / user 'unknown'
    Is it have something problem in the WLC, I am following the configure sample to config both of the WLC and ACS.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml
    thank you very much

    "RADIUS server "IP Address":1645 failed to respond to request (ID 24) for client "MAC Address" - Check there is connectivity between WLC and ACS. Also, check whether the username credentials are correctly given.

  • How do i set up my kindle to receive audio books? Is there a MAC filter? it must be disabled and I dont know how to do this

    how do i set up my kindle to receive audio books? Is there a MAC filter? it must be disabled and I dont know how to do this

    By default, any type of MAC filtering is disabled on the AirPort base stations ... unless, of course, you or someone else enabled it.
    If it is enabled, to disable it, you would use the AirPort Utility.
    AirPort Utility > Select the AirPort > Manual Setup > AirPort > Access Control tab > MAC Address Access Control: Not Enabled

  • Problem with connetction to wrt54g2 via wireless connection with WPA/WPA2 & wireless MAC filter

    Hello,
    I'm Alexey from Novosibirsk, Russia.
    I have a problem with connection to wrt54g2 from my DELL D630 notebook via wireless connection. When I setup WPA/WPA2 in wireless security and wireless MAC filter I can't connect from notebook to WRT - in Windows I see that dynamic IP address from WRT is not assigned. When I switch off security mode to disable always OK, but I need a wireless security between DELL and WRT.
    Connection via cable Ethernet port is OK.
    Can You help me?

    Have you tried the different laptop...?
    Download 1.71 MB the firmware for WRT54G2 v1 and reflash the router's firmware.After reflashing/upgrading the router's firmware,reset the router for 30 seconds and reconfigure the router from scratch. 

  • Wireless MAC filter can not be active to connect to WIFI?

    I use a Linksys router with WEP security and a Wireless MAC filter. When I turned off WEP I was unable to connect to the router with my iphone 3g but when I enabled WEP and turned off the MAC filter I connected right away.
    Has anybody else seen this or has anyone successfully connected to a router with a MAC filter?
    Thanks

    I have no problems connecting to a router with MAC filtering enabled... I would just double check that you entered the correct MAC address into your router (Settings>General>About>Wi-Fi Address) and make sure the permissions are set correctly for that MAC address (if applicable)...

  • WRT160N wireless MAC Filter settings reset on their own

    I recently purchased and setup a WRT160N router.  Having no real problems with router - it works fine with exception of the MAC filter settings.  I most often access the router config from an XP machine (used to initially setup the router) which is wired, as well as from a VISTA notebook that is wireless.  I am noticing that when I check the MAC filter settings, the previous setup is missing - meaning that all MAC addresses are gone, and the filtering option is removed.
    I have set this up numerous times, and VERIFIED that I click on save at the bottom of the page, verify I have enable checked, etc.  I am wondering if there is something I'm missing - the settings don't appear to "stay" - the filtering option simply disappears and returns to disabled.  I may answer my own question here (or point myself in the right direction), but is there a dependancy on some other setting that is causing my filter to "disappear" on me?

    Have you tried to reset your Router and Re-configure all the settings back on your Router? If not then Reset your Router and re-configure all the settings. If still doesn't work, then you need to upgrade the firmware of your Router. Download the latest firmware for your Router from the Linksys website, Go to http://www.linksysbycisco.com/US/en/support/wrt160n/downloads and select the proper version number of your Router and download and save the firmware on your computer.
    Login to the Routers GUI and click on the Administration tab and below click on the sub tab "Firmware Upgrade" and click on the browse button and select the firmware file and click on upgrade...Once the firmware upgrade is successful... Then you need to Press and hold the reset button for 30 seconds...Release the reset button...Unplug the power cable from your router, wait for 30 seconds and re-connect the power cable...Now re-configure your router...

  • Why is Web Page Auth on MAC Filter Failure not working on Anchor Controller?

    Hi,
    I have implemented a Guest WLAN solution as per the recommended design from Cisco. We have two internal WiSM2 controllers providing services for Internal secure SSIDs. Both these controllers are members of a Mobility and RF management group.
    Two 5508 controllers have been installed in our DMZ for resilience and have been placed into a separate Mobility group. All controllers (internal and external) have been linked together as mobility neighbours in a full mesh and a new SSID for Web Guest traffic has been anchored to the controllers in the DMZ.
    Web page authentication works perfectly fine, but I cannot for the life of me get the MAC filtering override to work, i.e. if a MAC address is present, do not redirect to the splash page for web auth.
    I can get MAC auth working by iteself, but not with the Layer 3 option selected for web page auth on mac filter failure.
    I know I can get around this by just creating two separate SSIDs. But the business is used to just having the one SSID for all guest traffic.
    Is this a known limitation when anchoring SSIDs to controllers in the DMZ ?

    Hi Nicolas,
    I guess they changed their mind to add this fix in 7.0MR3. Now the fix will be in 7.2 release planned to be release in FEB.
    There is a documentation bug opened to add this to configuration guide :
    CSCtw48727    Document CSCts54424. Limitations webauth on mac filter fail for anchor
    Regards..Salil
    CSCtw48727    Document CSCts54424. Limitations  webauth on mac filter fail for anchor

  • Where to add mac filter without template on Prime 2.0?

    Hi,
    Can someone point me to where I should go to add mac filter under security>AAA in Prime 2.0 directly to controller without using templates? Check the screenshot attached. there is no option to add filter. It only give option to edit. Going to Classic view I see the add option is available. Puzzled. Any help is appreciated.
    Cheers,
    Fadi

    I am unabl eto find any way to configure mac-address filter without template. To configure with template you can go through the following steps-
    Step 1 Choose Configure > Controller Template Launch Pad.
    Step 2 Click MAC Filtering or choose Security > MAC Filtering from the left sidebar menu. The Security > MAC Filtering page appears.
    Step 3 If you want to add a new template, choose Add Template from the Select a command drop-down list, and click Go. To modify an existing template, click the template name. The MAC Filtering template page appears.
    Step 4 If you keep Import From File enabled, you must enter a file path or click Browse to navigate to the file path. The import file must be a CSV file with MAC address, profile name, interface, and description (such as 00:11:22:33:44:55, Profile1, management, test filter). If you unselect the Import from File check box, continue to Step 5. Otherwise, skip to Step 8.
    The client MAC address appears.
    Step 5 Choose the profile name to which this MAC filter is applied or choose the any Profile option.
    Step 6 Use the drop-down list to choose from the available interface names.
    Step 7 Enter a user-defined description of this interface. Skip to Step 9.
    Step 8 If you want to override the existing template, select the Override existing templates check box.
    Step 9 Click Save.

Maybe you are looking for

  • I need to upgrade my version and can't find help or any other way

    I got a message saying I was using an old and insecure version of firefox. I was directed to click on help. I can't find help. When I clicked the free download a message said it didn't exist. Try another version. I have been having problems with viru

  • I want to use IDOC to launch RFC

    Hi, I my SAP system sends IDOC to XI3.0 Sytem. XI must map this IDOC to RFC and must send RFC response to FTP receiver. How can I do this. Is there an example for this type of message. Thanks

  • Hide Column in table control

    Dear All, I need to hide some columns of a table control during runtime. I have used the following code: LOOP AT SCREEN. if screen-group1 = 'AA'. screen-active = 0 screen-invisible = 1. modify screen. endif. ENDLOOP. Thanks and regards, Atanu Edited

  • Bug Report (reproducible) - Adding an appointment to Google Calendar causes Pre to display a blank calendar.

    I have been able to reproduce an important bug on the Pre (webOS 1.0.2).  I didn't see a way to submit an official bug report, so I'm posting it here. Step 1: Import the following ical file into a Google calendar:  http://www.halfwayproductions.com/t

  • I can not Connect my I Phone and my I Pod nano with my I Book G4

    I can not Connect my I Phone and my I Pod nano with my I Book G4. My iBook G4 is still runing on Mac OSX 10.4.11 so I can´t load itunes 10 and I can not Connect my I-Phone and my IPod to my laptop. The Question is: Way dose Apple dose not suupport th