WLC 5760 multiple SSIDs with MAC filtering

Similar Messages

• 802.1x deployment with MAC filtering

  Hi All
  I read "Enhance your 802.1x deployment security with MAC filtering" on NAP blogs with link as below.
  http://blogs.technet.com/nap/archive/2006/09/08/454705.aspx
  I am wondering this tip might not be correct somehow and would like to know how to imployment it correctly.
  First of all, there is only a "Verify Caller ID" field in "dial-in" tab of user properties, not "Calling Station ID". I tried to add MAC address in this field and the authenticaiton works.
  As the description of the tip, we can add multiple MAC addresses in that field but it doesn't work. I tried to use
  "AA-BB-CC-DD-EE-FF | BB-AA-FF-EE-DD-CC" format as multiple MAC address and IAS always responce error with wrong calling staiton ID. Does anyone know how to correctly add multiple MAC addresses in "Verify Caller ID"?
  Thanks

  Hi Sam
  Thank you for your reply.
  I would like to explain why I want to use multiple MAC addresses authenticaiton for an account on a singel AD.
  Genereally, 802.1X can be imploymeted for wired and wireless authenticaiton on many network devices in a company or entriprise. An employee in a company or entriprise is supposed to have only one account but might have multiple devices such as a PC, laptop, or PDA. For the convenience of authenticaiton imployment, I think I should only create an account for that person and make a MAC filtering for any devices he is autrorized to use.
  I had tried the first example you mention but it didn't work. The switch and wireless gateway I used for test only sent one MAC address (calling station  ID) to AD and AD only recognized the first MAC address of all MAC addresses I key in. Of course, your example can be succesful if the device sends multiple MAC addresses simultaneously because AD thinks the those "MAC addresses" is just one string or one calling staiton ID. But that's is not what I want.
  Anyway, I will try the second way you suggest.
  Thanks a lot.

• Multiple SSIDS with VLAN ACL seperation

  Hi,
  I have bought a 887W and I'm new to wireless on a router, I need advice about seperating multiple SSIDs with access list.
  I have configured 2 SSIDs one for 'trusted' clients and one for 'guest' clients. I want to prevent the 'guest' SSID obtaining access to the other vlan/SSID using an ACL.
  Each SSID is associated with a BVI, the BVI has the IP address, then it's linked to a seperated VLAN interface, then each VLAN.
  Thanks if you can help...
  Dave

  Solved my issue, I simply attached the ACLs to the BVI interfaces. Fairly obvious, but I read a Cisco webpage that said this could not be done, although this may have been a temporary bug that has been fixed.

• PEAP authentication with MAC filtering

  Hi,
  I have an SSID, which required mac filtering as first level of security and Radius authentication also. I have done necessary configuration in  ACS and WLC. In ACS, the rule for MAC filtering is taking a hit, but the users are not asked for credentials. The wireless association also fails. The mac addresses are saved in End station filter on ACS. 
  Attached document has the complete configuration which I performed. Please let me know what I am missing here. Thank you.
  Regards,
  Madhan kumar G

  Hi,
  as per maldehne you have to play with the service type.
  check this discussion: http://goo.gl/R9E8ae
  To the authentication policy you have to add a 'service type' attributes and check based on that attribute.
  based on maldehne as per the past discussion the service type value in the rule condition should be:
  For MAC filtering: value should be:  call check
  For 802.1x: value should be : Framed
  Note that the MAC filter rule should come first.
  Hope this helps.
  Regards,
  Amjad

• Web Auth with Mac Filtering

  I am trying to setup a scenario where a user logs in via Web Auth and witha  successfull connection the Mac Address is remembered for 7 days. That way if the user connects again during the course of 7 days they aren't required to authenticate via web auth again they just get access. After 7 days they will need to login again through the web auth. Similar scenario to what you see at a Hotel wireless network. Anyone know how I would go about setting up the dyanmic mac filtering and set the timer for 7 days? With that said I want it to be for a single SSID.

  well, it's not possible with just the WLC.
  You can do it, but you need to have a way to pull the MAC address from the webauth page, and insert that into a LDAP db, which you control the age out process in.
  Then on a subsequent visits they get mac-authed instead of having to re-accept the page.
  in the webauth config you would check the On MAC filter failure box.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Multiple SSID with different Login Web authority pages

  Our current setup is one Anchor control and then several WLC’s, I want to know if I can have multiple SSID and use different Web Auth pages form them, so I can have a SSID that requires a password to Authentication access and another SSID that requires pass through Authentication but they would have different web authentication pages and go to different pages once Authenticated.
  Is this possible to ?

  Hi,
  If  you are running WLC software 4.2 and above then u can do this on per  WLAN basis.. here is the link which tells on how to do it..
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml#A1
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• Using multiple SSID with AP 1100 (standalone mode).

  Hi, need to configure 2 SSID on the same 1100 AP: open authentication and WPA2. It's possible to configure these 2 SSID without configuring VLAN's ?
  On CCO I've read the following:
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a008009483e.shtml
  Q. How many service set identifiers (SSIDs) can you have per VLAN?
  A. You can have only one SSID per VLAN. The use of multiple SSIDs over a single VLAN is not supported with Aironet APs.
  It's also true with the latest IOS release ?

  Hi Roberto,
  Hopefully the attached docs will answer your question:
  Cisco Aironet 1100 Series
  Using VLANs with Cisco Aironet Wireless Equipment
  Deprecated versions of Cisco Aironet software permit binding multiple SSIDs to one VLAN. Current versions do not.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801d0815.shtml#
  Cisco IOS Software Configuration Guide for Cisco Aironet Access Points, 12.2(15)JA
  Configuring Multiple SSIDs
  vlan vlan-id
  (Optional) Assign the SSID to a VLAN on your network. Client devices that associate using the SSID are grouped into this VLAN. You can assign only one SSID to a VLAN.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a00802085c4.html
  Hope this helps!
  Rob
  Please remember to rate helpful posts.......

• Aironet 600 with Mac Filtering and a switch..

  How does the Aironet 600 handle Mac Filtering if I were to connect a switch to port 4 on the back ("Secured" network port). Does it authenticate each MAC or does it do somthing similar to how 802.1x with multi-host works, the first mac authenticates and then the port's wide open? My use-case here is a printer at a remote home-office. The printer doesn't have a supplicant in it so I need to use mac filtering. Thanks.

  MAC authentication is all I use for my OutStationed workers.  No wifi, just the rlan.  Since the rlan is configured for DHCP only, no IP gets passed until MAC auth occurs.
  When Cisco packaged this up, they said 4 is enough..  IF you use an un-managed (non-cisco) switch. 
  I had a need for 2 workstations and 2 digiports..  SOP sys a managed switch..  oops.  the switch consumed 2 MAC's right off the top.. 1 for itself and 1 for each vlan.
  After enablilng 2 rlans, and configuring a pair on different networks, we discovered that they were bridged in the 602 (or somewhere).
  We ended up switching out the 602 for an ASA5505

• Multiple SSID With Multiple VLANs configuration on Cisco Aironet APs: Assotiated clients cannot obtain IP addresses

  Hi Surendra,
  I was just given this task to see how i can configure a second ssid for guest access in our environment.
  this is our network setup prior to this request: Internet----Firewall (not ASA)---ce520---C1131AG and CME router is also connecting to the ce520 switch. we only have two vlans: one for voice and two for data.
  Presently, there is no vlan configured on the AP because it on broadcasting ont ssid and wireless users gets IP from a windows DHCP server on the LAN. the configuration on the ce520 switch port for the AP and other switches say access vlan is the DATA vlan which automatically becomes the native vlan for all trunk port connecting the AP and other Stiches to the network.
  Now with this new requirement, i have made my research and i have configured the AP to broadcast both the production and the guest Vlans. The two vlans are 20-DATA and 60-Guest. I made the DATA vlan on the AP the native vlan since the poe switch is using the DATA vlan as native on the trunk ports. I configured the firewall to serve as DHCP server for the guest ssid and i have added the ip helper-address on the guest vlan interface on all switches while the windows server remains the dhcp server for the production DATA Vlan. I have confirmed that the AP, switches can ping the default gateway of the guest dhcp server which is another interface on the firewall. I can now see and connect to all broadcasted ssids but the problem is I am not getting IP addresses from both the production dhcp server and guest dhcp server when i connected to the ssid one at a time.
  My AP config is attached below.
  Please tell me what am I doing wrong.
  Do i need to redesign the whole network to have a native vlan other nthan the data vlan?
  Does the access point need to be aware of the voice vlan?
  Do the native Vlan on the AP need to be in Bridge-group 1 or can i leave it in bridge-group 20?
  I will greatly appreciate your urgent response.
  Thanks in advanced.

  Hi,
  As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
  int vlan 20
  ip helper-address 192.168.33.xxx
  int vlan 60
  ip helper-address 130.20.1.xxx
  I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
  Modify the AP config as below since you are using data vlan as the native vlan
  interface Dot11Radio0.20
  encapsulation dot1Q 20 native
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
  interface FastEthernet0.20
  encapsulation dot1Q 20 native
  no ip route-cache
  bridge-group 20
  no bridge-group 20 source-learning
  bridge-group 20 spanning-disabled
  interface FastEthernet0.60
  encapsulation dot1Q 60
  no ip route-cache
  bridge-group 60
  no bridge-group 60 source-learning
  bridge-group 60 spanning-disabled
  Hope this helps.
  Regards
  Najaf

• Multiple SSIDs with Multiple (split) VLANs & GW ---- for shopping mall

  Hi Experts,
  I suppose to sell the shared infrastructure service. Now I'm holding a couple of 8500 (HA). With almost 450 APs. 
  I'm designing my actual WiFi service for this "Shopping Mall" to retails.
  Each of retail shop should own his AP inside their own shop. The AP should ONLY broadcast his own SSID such "Starbucks-WIFI". Each shop sholud not be able to hook into the other shops network.
  Problem are 
  If I have 100-500 customers/retail shops. Can I achieve my goal with a ginven WLC8500?
  How many SSID can be actived at once?
  How many AP group can be configured and turned on at once?
  What would be the actual topology which is the best practice for? --- IMO, shop broadcast their own SSID >> access switch dedicated VLAN >> VRF (64VRF max @ CAT4500) or dedicated GW at Firewall >> dedicated internet link.
  I found some relevant post but it not explitict to my env. Wireless Max SSID on WLC and AP | Getting Started with Wireless ...
  Cheer & Br,
  Nipat.p

  How many SSID can be actived at once?
  Go to WLAN > Advanced > AP Groups.
  All APs fall into the default-group.  Each AP can advertise a maximum of 16 SSIDs.  If you are smart, you can create a number of AP Groups and individual APs can be assigned to a specific AP Group.  One of the main selling point with AP Groups is the ability to assign specific SSIDs.  So if you create an AP Group called Starsbuck and in the AP Group you assign only the Starsbuck SSID and then assign only one AP then this AP will ONLY advertise the specified SSID.  
  Good news is the 8500 can support up to 6K AP Groups (read THIS).

• Can the RV180W have multiple SSIDs with different security configurations?

  I am trying to configure the RV180W with a guest network and regular wireless network. The regular wireless network is just a bridge to the wired network, using WPA2-Pers for authentication. I built and enabled another wireless SSID, using a different VLAN and no authentication. I can get both SSIDs to function at the same time if I turn off security. Once I turn on Security, the regular one no longer functions.

  It is actually all in the manual:
  SEE: PDF MANUAL
  Page 63 of PDF and onwards
  Do note that you need to assign multiple VLAN per SSID. Check the manual it is there :D
  and based on the manual you need to enable multiple VLAN support: See page 34 of the manual: Configuring Virtual LAN (VLAN) Membership
  Don't forget to rate and mark as answer helpful posts! :)

• Multiple SSIDs with WDS, custom DHCP addresses, & Web interface

  I just bought an Aiport Extreme Base station along with an Aiport Express. So far, everything is great, but I had a few of things I would like configure a certain way, and I am having a little problem.
  Just to let you know, I am using the base station as the main router/firewall (with my cable modem). I am using the express basically as a wireless bridge (via WDS).
  The way Apple takes care of things with WDS, is by assiging the same SSID to both the base station and express for seamless roaming. However, I would like them both to have their own SSID. I cannot seem to get this working, and I know that some other vendors allow this (Buffalo, Linksys).
  The other issue is regarding DHCP on the LAN side. I want to for example hand out IP addresses 192.168.2.50-60 to my internal clients, and I want the base station to have an address of 192.168.2.1 and the express to have 192.168.2.5. It seems this also I am having problems with. It seems like the base station is very rigid on what options I have in this regard.
  Lastly, I wondered if there is any other way to administer these guys (like a web browser). Sometimes I need to remotely make changes to the router, and don’t really want to install another app just for this purpose (especially at work, or some other remote location).
  Thanks
  Mac Mini 1.25 GHz   Mac OS X (10.4.3)   1 Gig of RAM

  The way Apple takes care of things with WDS, is by
  assiging the same SSID to both the base station
  and
  express for seamless roaming. However, I would
  like
  them both to have their own SSID.
  I don't know why you'd want that but if you are
  extending the range of your wireless network with WDS
  it isn't possible with Airports.
  The other issue is regarding DHCP on the LAN side.
  I
  want to for example hand out IP addresses
  192.168.2.50-60 to my internal clients, and I want
  the base station to have an address of 192.168.2.1
  and the express to have 192.168.2.5. It seems this
  also I am having problems with.
  You can set the DHCP range and then assign static
  IP's to anything that conforms to that network as
  long as it won't conflict with something
  automatically assigned by DHCP. As a router NAT must
  be enabled so if you want a unique range of numbers
  only DHCP is used which won't work in your case.
  In other words set the range at 192.168.1.1 and that
  is the address of the base station. That can be used
  for the statically IP'd device's router and DNS
  entries as well like this:
  Device 1 IP 192.168.1.101
  Device 1 subnet 255.255.255.0
  Device 1 router 192.168.1.1
  Device 1 DNS 192.168.1.1
  Device 2 IP 192.168.1.102
  Device 2 subnet 255.255.255.0
  Device 2 router 192.168.1.1
  Device 2 DNS 192.168.1.1
  etc...
  Lastly, I wondered if there is any other way to
  administer these guys (like a web browser).
  Not that I'm aware of. Airport Admin Utility is all
  there is. I have seen a java utility but it wasn't
  very friendly.
  Thanks for the answers. Despite these minor limitations, so far the Apple hardware is some of the best 802.11 stuff I have used (except for maybe a Cisco 1200).

• Using multiple SSIDs with same name but different PSKs

  I have a central WLC 2504 controller that is being used for remote site FlexConnect 1141 APs. They all advertise three different SSIDs. One SSID is a global SSID that is the same at every office. One is a hidden SSID using 802.1x machine auth.
  The one I am trying to get working is the local office guest network. These SSIDs are all the same at each office but should have different PSKs. They are local to the office, therefore would only ever be applied to a specific FlexConnect group.
  I understand why in theory this is generally not a good idea but given these are for remote sites I'd like it to be possible. I always get this message though:
  "WLAN with duplicate SSID and L2 security policy found"
  Is there a way around this? New WLC code that allows it maybe?

  I was able to configure three (more I think possible) WLANs with same SSID name and all are WPA2-AES-PSK on the same WLC and all are enabled at hte same time.
  Note that you can not have any of those broadcasting on same AP group. Each WLAN can be only broadcasted on a separate AP group. For your sites, It will probably need you to define an AP group for each site to broadcast different WLANs on different sites.
  You can do that if all your WLANs have an ID of 17 or higher. (the reason is, WLANs of 1-16 are by default broadcasted on the default AP group. and because those can not be on the same AP group - including the default one - then you can't have them with WLAN IDs 1-16. i.e on same - default - AP group)
  HTH
  Amjad
  rating useful replies is more useful than saying "Thank you"

• Client unable to connect AP with MAC filtering

  I need some help from you, I found problem that some clients cannot connect to AP( but some client can connect as normal). As I checked from logs, I see a lot of messages as below:
  Nov 18 01:13:55.760: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  Nov 18 01:13:55.760: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Previous authentication no longer valid
  Nov 18 01:13:55.763: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  After that I tried to reload AP and then it can connect as normal but I found the log that it roaming to another AP in the same SSID as log below:
  Nov 21 08:52:12.147: %DOT11-6-ROAMED: Station 0023.68be.1c88 Roamed to 003a.99e6.6860
  Nov 21 08:54:33.855: %DOT11-6-ROAMED: Station 0023.68be.1c88 Roamed to 003a.99e6.6860
  Nov 21 09:04:34.495: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0023.68be.1c88 Reassociated KEY_MGMT[NONE]
  Nov 21 09:04:39.097: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Sending station has left the BSS
  Nov 21 09:04:39.103: %DOT11-6-ASSOC: Interface Dot11Radio0, Station  0023.68be.1c88 Reassociated KEY_MGMT[NONE]
  Nov 21 09:04:42.309: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  Nov 21 09:04:42.309: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 0023.68be.1c88 Reason: Previous authentication no longer valid
  Nov 21 09:04:42.315: %DOT11-4-MAXRETRIES: Packet to client 0023.68be.1c88 reached max retries, removing the client
  I've check from CISCO document, this problem may be from Radio Interference, so please help to investigate and find out the root cause that why some clients cannot connect to AP at that time and how to prevent this problem occurred again.
  Thank you in advance.

  Hi @Krish1840 , and thanks for the reply!
  Do the pages come out blank when making a copy as well?
  I would suggest deleting the printer from your print system, using this document: Uninstalling the Printer Software.
  Once you have deleted it, I would suggest verifying and repairing the disk permissions: About Disk Utility's Repair Disk Permissions feature.
  I would also suggest running your Apple updates:  OS X: Updating OS X and Mac App Store apps
  After the updates, I would recommend readding the printer via OS X v10.9 Mavericks: Installing and Using the Printer on a Mac
  Good luck and please let me know how it goes!
  Please click “Accept as Solution " if you feel my post solved your issue, it will help others find the solution.
  Click the “Kudos, Thumbs Up" on the right to say “Thanks" for helping!
  Jamieson
  I work on behalf of HP
  "Remember, I'm pulling for you, we're all in this together!" - Red Green.

• WAP200 and .1x/radius authentication with multiple SSIDs

  Apparently it's not possible to define more than a single radius server when using multiple SSIDs with WAP200. Unfortunately WAP200 doesn't add the name of the SSID as a radius attribute, so it's not possible to make distinction whether the user is trying to log in to SSID A or B. Does anyone have any ideas or workarounds for this limitation? Of course the best solution would be if Cisco/Linksys fixed the firmware so that the SSID of the logging in user would be sent to the radius server as an extra attribute or appended to the client mac address.

  Security option for an SSID can be unique and can be configured when you configure a SSID or under VLAN . Note that each vlan is uniquely mapped to induvidual SSID.