×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

MAC Filtering on WLANs

Unanswered Question
Dec 26th, 2013
User Badges:

Hi everybody.


I want to consult about the MAC Filtering. I've a CISCO 881c...


IMG_0281.JPG

I've finished all the main configuration of this great router.


This router has two main parts: the ROUTER and the ACCESS-POINT part


Finally, I need to configure the MAC Address security to control the access of who can connect and who can't.


So my configuration is as the following:


ROUTER Part:


ip dhcp pool VLAN20-Informatica

network 191.168.0.224 255.255.255.224

default-router 191.168.0.225

dns-server 190.160.0.13

lease 2

exit


ip dhcp pool VLAN30-Gerencia

network 191.168.0.192 255.255.255.224

default-router 191.168.0.193

dns-server 190.160.0.13

lease 5

exit


ip dhcp pool VLAN60-Invitados

network 192.168.60.0 255.255.255.0

default-router 192.168.60.1

dns-server 190.160.0.13

exit


ip dhcp excluded-address 191.168.0.225

ip dhcp excluded-address 191.168.0.193

ip dhcp excluded-address 192.168.60.1


interface FastEthernet0

switchport access vlan 20

no ip address

exit


interface FastEthernet1

switchport access vlan 30

no ip address

exit


interface FastEthernet2

switchport access vlan 60

no ip address

exit


interface FastEthernet4

ip address dhcp

ip nat outside

exit


interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

exit


interface Vlan1

ip address 191.168.1.1 255.255.255.252

exit


interface Vlan20

ip address 191.168.0.225 255.255.255.224

ip nat inside

exit


interface Vlan30

ip address 191.168.0.193 255.255.255.224

ip nat inside

exit


interface Vlan60

ip address 192.168.60.1 255.255.255.0

ip nat inside

exit


ip nat inside source list LANs-TO-INTERNET interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 192.168.0.1


ip access-list standard LANs-TO-INTERNET

permit 191.168.0.224 0.0.0.31

permit 191.168.0.192 0.0.0.31

permit 192.168.60.0 0.0.0.255


AP Part:

dot11 association mac-list 700

dot11 vlan-name Informatica vlan 20

dot11 vlan-name Gerencia vlan 30

dot11 vlan-name Invitados vlan 60


dot11 ssid Informatica

   vlan 20

   authentication open

   authentication key-management wpa

   guest-mode

   mbssid guest-mode

   wpa-psk ascii 0 maforinfor

   exit


dot11 ssid Gerencia

   vlan 30

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 0 maforgeren

   exit


dot11 ssid Invitados

   vlan 60

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 0 maforinvi

   exit


interface Dot11Radio0

no ip address

encryption vlan 20 mode ciphers tkip

encryption vlan 30 mode ciphers tkip

encryption vlan 60 mode ciphers tkip

ssid Gerencia

ssid Informatica

ssid Invitados

ssid Planta

ssid Usuarios

mbssid

exit


interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip route-cache

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

exit


interface Dot11Radio0.20

encapsulation dot1Q 20

no ip route-cache

bridge-group 20

bridge-group 20 subscriber-loop-control

bridge-group 20 block-unknown-source

no bridge-group 20 source-learning

no bridge-group 20 unicast-flooding

bridge-group 20 spanning-disabled

exit


interface Dot11Radio0.30

encapsulation dot1Q 30

no ip route-cache

bridge-group 30

bridge-group 30 subscriber-loop-control

bridge-group 30 block-unknown-source

no bridge-group 30 source-learning

no bridge-group 30 unicast-flooding

exit


interface Dot11Radio0.60

encapsulation dot1Q 60

no ip route-cache

bridge-group 60

bridge-group 60 subscriber-loop-control

bridge-group 60 block-unknown-source

no bridge-group 60 source-learning

no bridge-group 60 unicast-flooding

bridge-group 60 spanning-disabled

exit


interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

exit


interface GigabitEthernet0.1

encapsulation dot1Q 1 native

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

exit


interface GigabitEthernet0.20

encapsulation dot1Q 20

bridge-group 20

no bridge-group 20 source-learning

bridge-group 20 spanning-disabled

exit


interface GigabitEthernet0.30

encapsulation dot1Q 30

bridge-group 30

no bridge-group 30 source-learning

bridge-group 30 spanning-disabled

exit


interface GigabitEthernet0.60

encapsulation dot1Q 60

no ip route-cache

bridge-group 60

no bridge-group 60 source-learning

bridge-group 60 spanning-disabled


interface BVI1

ip address 191.168.1.2 255.255.255.252

exit


ip default-gateway 191.168.1.1


access-list 700 deny   0000.0000.0000   0000.0000.0000

access-list 700 permit 9803.d860.b50d   0000.0000.0000

access-list 700 permit 001b.11b1.c553   0000.0000.0000


This configuration work great.


All host of the wired side and the wireless side can access to internet flawlessly.

In the AP side I can filter (deny) the access of all wireless devices

In the AP side I can grant the access of two devices ( 9803.d860.b50d - 001b.11b1.c553 )


The problem is here:


I need to grant the access to any wireless host that try to connect to " Invitados " SSID ( VLAN 60 )

The problem is that the [ dot11 association mac-list 700 ] sentence affect to the main antenna [ dot11Radio 0 ]

So all devices are filtered included the Invitados SSID ( VLAN60 )


All I need is to filter only the Informatica SSID and Gerencia SSID (VLAN20 AND VLAN30)

The VLAN60 I want that to grant all access to any device.


I hope that anybody can help me.


Thanks!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Sandeep Choudhary Mon, 01/06/2014 - 02:20
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Alfredo,

Configuring MAC Filtering:


By GUI:

click Wireless > MAC Filter to open the Wireless - MAC Filter page, enabling you to restrict access to specific SSIDs according to device MAC addresses.



For each SSID, you can specify MAC addresses to allow or MAC addresses to deny. By default, the MAC restriction feature is disabled for all SSIDs.


Complete the following steps to configure MAC filtering for an SSID:


Step 1 In the Select SSID drop-down list, select the SSID to configure.

Step 2 To add a MAC address to the list, click Add and enter the address.

Step 3 To remove a MAC address from the list, select the "Remove" check box for the address and click Remove.

Step 4 Select a MAC restriction mode:


  • Disabled—The feature is disabled.
  • Allow—Allow devices with the specified MAC addresses to connect.
  • Deny—Do not allow devices with the specified MAC addresses to connect.


Please also check this link to configure mac filtering in both ways GUI and CLI

http://www.cisco.com/en/US/docs/routers/access/800/860-880-890/software/configuration/guide/config_WLAN.html#wp1251791



Regards

Dont forget to rate helpful posts.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode