Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
3
Replies

Multiple SSID's Single AP Local MAC list

mcnairiain
Level 1
Level 1

‎04-11-2008 08:24 AM - edited ‎07-03-2021 03:42 PM

Hello, looking for a bit of help on what I consider a simple request only I cant seem to make the AP do what I want. Have a AP-1231, set it up so that I have 3 SSIDs broadcasting nicely and all I wanted to do is utilise the local MAC list so that If your Mac is not listed you cannot use any of the SSIDS. This works with a single SSID as I have done it, but all that happens when I pick a ssid to authenticate with MAC & then put a nominal MAC address in the list is that the WPA key I was using gets removed and it locks up the SSID, not to mention the HTTP managment page hangs. Is there an easy way of doing this? A bit annoyed now as I have spent a whole day on this problem and not really got anywhere. Not much posted on using local MAC for multiple SSID's on the NET, quite suprised really. Anyway any help would be awesome!!!

Labels:
0 Helpful
3 Replies 3

bcolvin
Level 3
Level 3

‎04-11-2008 06:58 PM

iain

You have some bad news MAC authentication does not work with WPA authentication. If you use MAC authentication you are stuck with it alone or with EAP.

Here is the reference

Note In Cisco IOS releases 12.3(4)JA and later, you cannot enable both MAC-address authentication and WPA-PSK.

this is from the following document

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37auth.html#wp1048646

HTH

Bill

0 Helpful

mcnairiain
Level 1
Level 1
In response to bcolvin

‎04-12-2008 09:12 AM

Thank you for your reply Bill, However I dont see why using WPA TKIP encryption prevents you from having a ACL in effect of which MAC addresses are allowed to authenticate, This is a basic feature on most domestic ADSL Wireless routers, I have previously done this with a Single SSID and WEP using an AP1200?? I just assumed that because domestic wireless ADSL routers can have WPA encryption with the added benefit of a list of authorised MAC users that the AP would also be able to do the same. So am I stuck then? I am not sure that MAC address authentication is solely what I want to do, I dont really understand how using WPA-PSK has anything to do with an additional list of which MAC addresses can use the service? - thank you for the link anyway...still a bit miffed though....

0 Helpful

bcolvin
Level 3
Level 3
In response to mcnairiain

‎04-12-2008 11:52 AM

Probably because a MAC ACL on a wireless network is not secure, for the following reason most Wireless adapters have the abbilty to have a localy mannaged MAC address. The result is all a hacker has to do is sniff your wireless system to learn a MAC address type it into his adapter and he is on your system, so all your work maintaining the ACL was bypassed in about a minute by the hacker. The ACL is still valid fot wired networks because with switches it is difficult to learn MAC addresses without being connected to your wire.

The Curret Best practice is to use some version of WPA with a Strong Passphrase/Password for a secure wireless network.

If you need additional security beyond the AP the use of VLANS and ACL's on the switches and routers is a very popular practice.

why are we working on saturday?

bill

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card