Multiple SSID's Single AP Local MAC list

Unanswered Question
Apr 11th, 2008

Hello, looking for a bit of help on what I consider a simple request only I cant seem to make the AP do what I want. Have a AP-1231, set it up so that I have 3 SSIDs broadcasting nicely and all I wanted to do is utilise the local MAC list so that If your Mac is not listed you cannot use any of the SSIDS. This works with a single SSID as I have done it, but all that happens when I pick a ssid to authenticate with MAC & then put a nominal MAC address in the list is that the WPA key I was using gets removed and it locks up the SSID, not to mention the HTTP managment page hangs. Is there an easy way of doing this? A bit annoyed now as I have spent a whole day on this problem and not really got anywhere. Not much posted on using local MAC for multiple SSID's on the NET, quite suprised really. Anyway any help would be awesome!!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bcolvin Fri, 04/11/2008 - 18:58


You have some bad news MAC authentication does not work with WPA authentication. If you use MAC authentication you are stuck with it alone or with EAP.

Here is the reference

Note In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.

this is from the following document



mcnairiain Sat, 04/12/2008 - 09:12

Thank you for your reply Bill, However I dont see why using WPA TKIP encryption prevents you from having a ACL in effect of which MAC addresses are allowed to authenticate, This is a basic feature on most domestic ADSL Wireless routers, I have previously done this with a Single SSID and WEP using an AP1200?? I just assumed that because domestic wireless ADSL routers can have WPA encryption with the added benefit of a list of authorised MAC users that the AP would also be able to do the same. So am I stuck then? I am not sure that MAC address authentication is solely what I want to do, I dont really understand how using WPA-PSK has anything to do with an additional list of which MAC addresses can use the service? - thank you for the link anyway...still a bit miffed though....

bcolvin Sat, 04/12/2008 - 11:52

Probably because a MAC ACL on a wireless network is not secure, for the following reason most Wireless adapters have the abbilty to have a localy mannaged MAC address. The result is all a hacker has to do is sniff your wireless system to learn a MAC address type it into his adapter and he is on your system, so all your work maintaining the ACL was bypassed in about a minute by the hacker. The ACL is still valid fot wired networks because with switches it is difficult to learn MAC addresses without being connected to your wire.

The Curret Best practice is to use some version of WPA with a Strong Passphrase/Password for a secure wireless network.

If you need additional security beyond the AP the use of VLANS and ACL's on the switches and routers is a very popular practice.

why are we working on saturday?



This Discussion



Trending Topics - Security & Network