Wireless Guest and mac authentication

Hi all,
I want to setup a wifi guest network with mac based authentication.
I already have the guest anchor controller and the remote wlc controller (and the mobility tunnel) up and running.
However, i am uncertain where i have to program the mac addresses: on the remote wlc or on the guest controller ? (for local database mac)
It seems my authentication only works if i program the mac address of the 'remote' wlc (the wlc holding the AP).
   This is a pitty, as i was hoping to centralise all "appoved" mac addresses on the guest controller and not on each individual wlc seperatly.
Also, suppose i want a radius server to validate the mac address. Which controller is going to sent the radius request ? the wlc controller
managing the AP or the guest anchor controller ?
Does the remote wlc also need to be configured with "Layer2 security: none"+"mac authentication" (the same as the anchor controller) or can i put "Layer2:none" and put the anchor controller on "Layer2: none"+mac authentication ?
regards,
Geert

Hi Geert,
The rule is straightforward : layer 2 is handled by foreign WLC (one holding the AP) and layer 3 handled by the anchor (the guest).
This means the anchor WLC handles the dhcp/ip address, it handles the web authentication etc ...
But only the foreign WLC knows which AP the client is associated to, it's the only one to have layer 2 information so that's the one doing layer 2 authentication (wpa psk or mac filtering).
The way to "centralize" for you would be to have the mac addresses on a radius server or to push the mac addresses on the controllers via WCS.
Hope this clarifies,
Nicolas
===
Don't forget to rate answers that you find useful

Similar Messages

  • Wireless Guest Users once authenticated, are able to connect again after disconnection

                       Wireless Guest Users once authenticated, are able to connect again after disconnection .Clients should not able to connect after the restart or by disabling and enabling the WIFI adapter. But as of now clients are connecting to network . How we can configure this feature in WLC ?

    IIRC, if your reboot, disable the adapter or disconnect from the wireless, as long as the session timer or the idle timer does not timeout, then you are still considered as authenticated. If you logout, the wlc logs you off and you will have to log back in. The wierd thing is with iPhones or iPads, they go to sleep mode and you have to log back in to access the guest network. The workaround was to increase the idle timers to a certain acceptable limit to prevent this from happening.
    If you disconnect from the guest SSID and leave your client off the network until the idle timer expires, do you get prompted for a login or do you have access again?
    Sent from Cisco Technical Support iPhone App

  • WPA2 and mac authentication

    I am currently using WPA2-spk. I want to add another layer of security. I know I could do EAP. I am also looking at mac authentication. But I want to host the mac list on an ACS server. Setting the the mac addresses on the ACS server is pretty cut and dry, but how can I configure the ap to look to the ACS server for its mac list? And, how can I get WPA-spk and mac authentication to work together?

    Hi Jared,
    you can do this by setup the following:
    Webinterface:
    1. Securtiy -> Server Manager
    Setup the ACS IP in the list "MAC Authentication" in the section "Default Server Priorities".
    2. Securtiy -> Advanced Securtiy
    In the section "MAC Address Authentication" use the radio button "Authentication Server Only" or "Local List if no response from Authentication Server" for a fallback configuration!
    IOS Interface from config mode:
    aaa group server radius rad_mac
    server 10.20.40.37 auth-port 1645 acct-port 1646
    and
    aaa authentication login mac_methods group rad_mac
    or
    aaa authentication login mac_methods group rad_mac local (for local fallback)
    I have not tested this, cause the MAC of the supplicants is to easy to sniff and any medium skilled person may used a sniffed MAC to enter the first authentication stage!
    Better use a setup with EAP-FAST or PEAP!
    I hope that helps.
    Best regards,
    Frank
    I hope that helps.

  • IAS and MAC authentication

    Hi, I´m having some trouble to authenticate the users with EAP and MAC authentication, i´m using IAS server and the EAP authentication is working well, but when I configure the MAC and EAP authentication, it doesn´t connect to the clients.
    Any idea how can I solve this problem??
    Thansk

    I think MAC authentication is not supported in IAS , you can do MAC address filtering on AP

  • Cisco aironet 1040: create wireless with wpa2 and mac authentication

    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks
    Hi,
    I created a wireless network setting "Open Authentication" and setting a wpa2 key: everything works.
    I would also add the filter mac address and then next to Open Authentication I selected "with mac authentication" but I can not connect. The list of mac is specified in the "Advanced Security".
    Can anyone help me? thanks

    ap#show configuration
    Using 2085 out of 32768 bytes
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname ap
    logging rate-limit console 9
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login default local
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization exec default local
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    dot11 syslog
    dot11 ssid Svez
       authentication open mac-address mac_methods
       authentication key-management wpa version 2
    username 00907a0f2a55 password 7 1249554E425C0D542C79257D66
    username 00907a0f2a55 autocommand exit
    username administrator privilege 15 password 7 033449040A0620425A0D15564F42
    username 0025d3db778b password 7 055B565D74481D0D1B52404A09
    username 0025d3db778b autocommand exit
    bridge irb
    interface Dot11Radio0
    no ip address
    no ip route-cache
    encryption mode ciphers tkip
    ssid Svez
    antenna gain 0
    station-role root
    world-mode legacy
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    bridge-group 1 spanning-disabled
    interface GigabitEthernet0
    no ip address
    no ip route-cache
    duplex auto
    speed auto
    no keepalive
    bridge-group 1
    no bridge-group 1 source-learning
    bridge-group 1 spanning-disabled
    interface BVI1
    ip address dhcp client-id GigabitEthernet0
    no ip route-cache
    ip http server
    ip http authentication aaa
    no ip http secure-server
    ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
    ip radius source-interface BVI1
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 route ip
    line con 0
    line vty 0 4
    end
    ap#

  • WLC Flexconnect with AAA and MAC authentication

    hi,
    i am having cisco WLC with 7.4.121 version and i am having remote side access points to be connected to this controller and remote access point will have different vlan on the remote side itself.
    my question is i am having  Radius authentication for the clients who are all connecting from all the access points and MAC filtering also.
    My radius server is placed in the HQ where we have WLC. which method of flexconnect switchign will give be both AAA and MAc filter options to be working.
    one more question,
    is it possible to make each AP seperate MAC filters On the WLC.
    thanks
    cyril

    If you are planning on doing machine authentication i.e authentication of machine with username password by the AAA server at then this is possible using flexconnect local switching enabled provided you have your AAA server accessible via the local VLAN at the remote site.
    In case you are planning on doing mac-filtering using WLC and username/password authentication using AAA server then this cannot be achieved when you enable Flexconnect local switching as you do not get an option to configure the mac-filtering on Flex-connect groups.Hence you would need to use central authentication.
    Actually the best option for you is that you either deploy a local site AAA server and do both the authentications via your radius server or use Central authentication with Flexconnect APs incase this is not feasible.
    Hope this clears you doubts!!!
    Note: Please do not forget to rate and accept as solution incase the post is valid.

  • Enabling 802.1x and MAC Authentication Bypass on ACS 4.2

    Hi experts,
    I have a few questions regarding 802.1x & MAC Authentication Bypass configured on ACS 4.2.
    i. Is it possible to configure MAC authentication + 802.1x on ACS 4.2 at the same time? Here is the scenario;
    Our company would like to enforce 'double authentication' on each staff machine (include those personal laptop/notebook). Each time the staff plugged into company's network, they will need to supply username & password in order to get access. After that, the ACS server will also check whether the user's MAC address is valid by checking against its own database. This MAC address is tied to the staff's user profile in ACS. If the login information supplied by the staff is valid but the MAC address of their machine is not match in ACS database, then the staff will not be able to gain access unless after notifying the administrator about it.
    ii. If it is possible, any reference that I can check on how to configure this?
    The reason why I need MAC authentication + 802.1x to be configured at ACS as most of our switches are not cisco based and only capable to support 802.1x.
    Hope anyone here could help me on this.
    Thanks very much,
    Daniel

    With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
    Specific info is here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
    Hope this helps,

  • Urgent 802.1x and MAC-Authentication Problem

    Hi all
    I want to deploy the mac- authentication in my network. and I have 3000 users. In the lab the authenticatoion for the machine takes:
    Vista : 15 - 20 seconds
    XP : 30 - 35 seconds
    Is there any way to reduce this time less than 10 seconds. My users count are 3000 will the time go bigger because of this.
    Please help me.
    Thanks and Best Regards
    amady

    With ACS, you can setup NARs (or Network Access Restrictions) to permit/deny access based on IP/non-IP based filters (like MAC Addresses).
    Specific info is here:
    <http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008018494f.html#313>
    Hope this helps,

  • VWLC and Mac Authentication

    Hello all
    WLC Appliance supports Local MAC Authentication, http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#conf
    Does Virtual WLC support this too?
    Thanks
    Franco

    Hello, Franco. 
    Have you checked the data sheet for the Cisco Virtual WLC's security Standards? Check this link: (http://cs.co/9007qz7W). 
    Are you planning to switch from a WLC appliance to a virtual?
    Kind regards. 

  • Wireless guest and HTTPS sites issue

    Dear all,
    I'm experiencing an issue with wireless guest, when accessing a site with https, the traffic is not intercepted by my controller, http sites are intercepted without any issue, I've found a document where this issue is mentioned as bug ID CSCar04580
    http://cisco.biz/application/pdf/paws/108501/webauth-tshoot.pdf
    could you please let me know what the fix is?
    Thanks,

    Thanks for the feedback, however I've added the 443 port and the traffic
    is still not redirected.
    AP Fallback ................................ Enable
    Web Auth Redirect Ports .................... 80,443
    Fast SSID Change ........................... Disabled
    802.3 Bridging ............................. Disable
    Any other suggestion?
    Thanks,
    Aziz

  • Are the apple wireless keyboards and mac book pro keyboards the same size?

    Are the apple wireless keyboards and the mac book pro keyboards the same size? I have the most current wireless keyboard and I use it with my iPad. Thanks in advance

    I took it to the same shop where i purchased they sent it to the apple
    service centre and it is a week and no one informed me abt the problem
    or the action on it.
    We are mainly just users to users here, and sometimes a Apple folk will respond, but it's just a direction to a Apple support document, no service or account issues are handled here.
    Will they replace the mac book pro as it is still in warranty
    We don't know what Apple will decide to do in your case, the best source of information is the shop you brought it to.
    They might be in the process of fixing it, or they might be deciding they need to keep your machine for investigation.
    Apple will take care of you, make sure you buy AppleCare and a external drive for TimeMachine if you haven't already.

  • Mail setup and .mac authentication

    Baffled… I have been trying to setup my Mail account. I have an active .Mac account which I can access via the internet, so I know it works. I am trying to use Mail as my automatic mail for sending Aperture photos and iWeb announcements.
    In going through the setup procedures in Mail I enter all the required information and the application tries to authenticate my .Mac account… it spins and spins… then an error message is received indicating “failure to connect to .Mac”. I have verified my settings with a friend who uses the same ISP, Mail and .Mac and all our settings are the same.
    Is this a keychain issue, do I need to reset permissions?
    Why can I access my .Mac account through Safari yet the computer can’t do it automatically?
    Thanks for anyone’s assistance.

    So you get mail from your .Mac account not via IMAP,
    but via POP3? Or what do you mean by "as for IMAP I
    am not using that"?
    And no, I did not talk about pinging the server
    (which just sends ICMP echo requests), but about
    trying to connect to the server using telnet. That's
    a real big difference.
    I only get mail via the web ~ Safari ~ Yahoo... .mac mail can be received and used onlt as a web application, Mial does not connect via .mac.
    The problem is .Mac authentifcation when setting up a new Mail account, error message says can not verify/connect to .Mac server, yet I can access .Mac via the internet.
    IMAP ~ in my system preferences for Accounts/Advanced I do not sync to any IMAP mailbox and the greyed out port is 143 nad SSL is not checked.
    Terminal ~ yes it logged in, sorry if I used the wrong term "ping"... so yes it did connect.

  • Wireless Guest and Broadcast

    All,
    The design guide specifies the following limitation: "As designed, 4400 series controllers do not forward IP subnet broadcasts from the wired network to wireless clients across the EoIP guest tunnel."
    Does this mean that i cannot initiate a connection from a wired PC (or the default gateway) to a wireless PC (even after is has authenticated ?) because arp
    would be unable to resolve or find the mac address of the wireless PC (ARP REQUEST broadcast will fail because it is not broadcast to the remote wireless client, if i read this limitation correctly)

    The feature works for clients on the same controller at all times...meaning no inter-controller roaming.
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn421760.html#wp234085

  • SLES 11 and MAC Authentication using FreeRADIUS

    This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
    We have been following the website http://wiki.freeradius.org/Mac-Auth#Plain+Mac-Auth.
    We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
    client 10.0.9.77 {
    secret = xxxxxxxx
    shortname = 10.0.9.77
    nastype = cisco
    This is the IP address of our WAP. We have configured the WAP under the Wireless section:
    Basic Setting SSID = RADIUS TEST SSID broadcast enabled
    Security currently disabled
    Connection Control set to RADIUS with the IP address of the server and the secret question.
    On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
    We have also attempted to connect by adding the following to the clients.conf file with no luck.
    client 10.0.8.0/21 {
    secret = xxxxxxx
    shortname = KAHS
    Any guidance would be greatly appreciated.

    Originally Posted by jdelucaka
    This is our first attempt at this. Not sure if this is the correct forum. We have a SLES 11 server. We are running FreeRadius FreeRADIUS Version 2.1.1, for host i686-suse-linux-gnu. We are testing just one Cisco WAP 4410N with a Lenovo laptop. All of our WAPs are Cisco 4410N. This is our first attempt at a Radius server. We are attempting to have users authenticate to our wireless network only by using their devices MAC address. This is for a Bring Your Own Device program for our school district. This program would allow students and teachers to bring their personal devices to school and attach to our network. We cannot install anything on their devices and need control over what devices connect. Once connected they would be subject to our Internet filter applicance.
    We have been following the website Mac Auth.
    We have made all the adjustments suggested in the website. We have created the file authorized_macs. At this time we have only one MAC address in this file. In our clients.conf file we have entered the following:
    client 10.0.9.77 {
    secret = xxxxxxxx
    shortname = 10.0.9.77
    nastype = cisco
    This is the IP address of our WAP. We have configured the WAP under the Wireless section:
    Basic Setting SSID = RADIUS TEST SSID broadcast enabled
    Security currently disabled
    Connection Control set to RADIUS with the IP address of the server and the secret question.
    On the server in a terminal session we run /usr/sbin/radiusd -X. Which executes without any errors. When the laptop attempt to connect it times out and no meesage appear in the terminal session on the server. Obviously the laptop is not connected.
    We have also attempted to connect by adding the following to the clients.conf file with no luck.
    client 10.0.8.0/21 {
    secret = xxxxxxx
    shortname = KAHS
    Any guidance would be greatly appreciated.
    And your windows machine is set to: Authenticate as computer when computer information is available?
    Microsoft Corporation
    Thomas

  • E4200 Wireless Guest and WEP connects, other security settings do not

    I have E4200 with fixed ip 192.168.1.2, DHCP off connected through LAN ports to FIOS ActionTec as 192.168.1.1.  When connecting through wireless network off the E4200, I can obtain and connect fine under Guest network and WEP security, but for any other security setting, WPA, WPA2, Mixed mode, etc.  I get the message "Aquiring network address" forever, and I never get a connection.  How do I troubleshoot?

    Is your FIOS ActionTec wired or wireless modem/router…. From where you are receiving the wireless signals to connect… Which operating System that you are running on the computer? It happens only to a specific computer or it happens to all the computers connected in the network?

Maybe you are looking for

  • Bad memory modules or motherboard??

    I rearranged the cables in my case and now I'm not able to boot using dual channel memory configuration. It worked before just fine! I've got two 512MB twinmos twister pc3500 modules. D-bracket indicates bad memory module if I try to setup dual chann

  • IIS Site Hosted in Web Role can not start up

    Hello Team, We occured a problem when deploying application to web role  the WaIISHost can not start up and there are two error information in event log : Application: WaIISHost.exe Framework Version: v4.0.30319 Description: The process was terminate

  • How can i buy an unlock iphone 5? Please help

    How I can buy an unlock iphone 5 in US?. I heard that Apple let people pre-ordered unlock iphone 5. But after 1 hour, they took it down. So what I see right now is only pre-order for the phone with contract

  • Src and href wrong

    Hi all, In my jee web app, I used href="/pages/jsp/emailToSms/sendSms.jsp" but while I run the program it shows that http://localhost:8080/EmailToSMS/pages/jsp/emailToSms/pages/jsp/emailToSms/sendSms.jsp. My project name is EmailToSMS and folder stru

  • Using Facelets with ADF

    Hi, I am trying to use Facelets with ADF but unable to get the desired output i.e. the Facelet regions are not working as desired. My Jdeveloper version is: 10.1.3.0.4(SU4) Please help me out as early as possible. Thank You.