cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2278
Views
0
Helpful
4
Replies

local radius + mac-filter ?

Carsten Radke
Level 1
Level 1

Hi all,

could someone tell me how to configure a local radius plus mac-filter?

The config with the local radius is running perfekt, but I dont't know how to configure a filter addition ?

any ideas are welcome

Carsten

1 Accepted Solution

Accepted Solutions

yes, you can do that, but you don't actually need those two first "authentication" commands. These two:

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

will overwrite these two:

authentication open eap EAP_LOCAL

authentication network-eap EAP_LOCAL

so you'll just be left with:

dot11 ssid wlan-ap

authentication key-management wpa

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.

You can also do local AP RADIUS authentication for this too ("radius-server local")

By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!

View solution in original post

4 Replies 4

Rob Huffman
Hall of Fame
Hall of Fame

Roman Rodichev
Level 7
Level 7

aaa authentication login mac_methods group rad_eap

!

dot11 ssid wlan-ap

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

and then just add users to your RADIUS server. If your mac-address is 010203040506, then add account:

user: 010203040506

password: 010203040506

Is it correct to put it in like this

dot11 ssid wlan-ap

authentication open eap EAP_LOCAL

authentication network-eap EAP_LOCAL

authentication key-management wpa

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

and put the user and mac-addresses to the local radius-server ?

or isn`t it better to config a mac-filter with

access-list 700 ...

and put it on :

dot11 association access-list 700

yes, you can do that, but you don't actually need those two first "authentication" commands. These two:

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

will overwrite these two:

authentication open eap EAP_LOCAL

authentication network-eap EAP_LOCAL

so you'll just be left with:

dot11 ssid wlan-ap

authentication key-management wpa

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.

You can also do local AP RADIUS authentication for this too ("radius-server local")

By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: