05-10-2009 09:08 AM - edited 07-03-2021 05:34 PM
Hi all,
could someone tell me how to configure a local radius plus mac-filter?
The config with the local radius is running perfekt, but I dont't know how to configure a filter addition ?
any ideas are welcome
Carsten
Solved! Go to Solution.
05-11-2009 04:17 PM
yes, you can do that, but you don't actually need those two first "authentication" commands. These two:
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
will overwrite these two:
authentication open eap EAP_LOCAL
authentication network-eap EAP_LOCAL
so you'll just be left with:
dot11 ssid wlan-ap
authentication key-management wpa
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.
You can also do local AP RADIUS authentication for this too ("radius-server local")
By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!
05-10-2009 10:18 AM
Hi Carsten,
Configuring Filters
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_8_JA/configuration/guide/s38filt.html
Hope this helps!
Rob
05-11-2009 11:07 AM
aaa authentication login mac_methods group rad_eap
!
dot11 ssid wlan-ap
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
and then just add users to your RADIUS server. If your mac-address is 010203040506, then add account:
user: 010203040506
password: 010203040506
05-11-2009 11:35 AM
Is it correct to put it in like this
dot11 ssid wlan-ap
authentication open eap EAP_LOCAL
authentication network-eap EAP_LOCAL
authentication key-management wpa
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
and put the user and mac-addresses to the local radius-server ?
or isn`t it better to config a mac-filter with
access-list 700 ...
and put it on :
dot11 association access-list 700
05-11-2009 04:17 PM
yes, you can do that, but you don't actually need those two first "authentication" commands. These two:
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
will overwrite these two:
authentication open eap EAP_LOCAL
authentication network-eap EAP_LOCAL
so you'll just be left with:
dot11 ssid wlan-ap
authentication key-management wpa
authentication open mac-address mac_methods eap EAP_LOCAL
authentication network-eap EAP_LOCAL mac-address mac_methods
Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.
You can also do local AP RADIUS authentication for this too ("radius-server local")
By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: