cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1229
Views
0
Helpful
12
Replies

WPA2 with Mac Security

srsiddiqui2007
Level 1
Level 1

Hi,

 

We have WPA2-PSK configured on network but would also like to implement MAC filtering in order to restrict mobile devices from being connected to network. 

WPA-Enterprise is the best to use but it will require Radius to be configured with EAP

Is it possible to use MAC address configured locally on AP from where users get autheticated

12 Replies 12

srsiddiqui2007
Level 1
Level 1

I have 2602/ 2702 AP's.

All the laptops are connected to them except the ones with Ralink RT3290 802.11bgn Wi-Fi Adapter they are connected in limited mode or wireless is not shown wifi list.

tried to manually add the network but no success

this was working fine with WEP until i moved to WPA2-PSK with AES encryption

commands used on AP

encryption mode ciphers aes-ccm tkip
dot11 SSID Gotcha
auth key-management wpa ver 2
wpa-psk ascii Abf78d99a0

Is this undo able or something else 

Hi

 

Change as per below and try again:

encryption mode ciphers aes-ccm tkip -->Remove this

encryption mode ciphers aes-ccm
dot11 SSID Gotcha
auth key-management wpa ver 2
wpa-psk ascii Abf78d99a0

 

Regards

Don't forget to rate helpful posts

Hi @Sandeep

Updated the configuration as suggested, Wi-fi network is just identifying and didnt even asked for key. Now its unidentified

Some of the previously worked laptops are now showing limited connectivity

you can check my attached config as well

Sandeep

Any update on this

Sandeep Choudhary
VIP Alumni
VIP Alumni

I never faced this kind of scenario but at least you can give a try...

Check this out: https://supportforums.cisco.com/discussion/11265661/cisco-aironet-ap1142n-configuration-wpav2-psk-local-mac-auth-only

 

Regards

Don't forget to rate helpful posts

check below link but it will be hectic if you have multiple MAC address like 80-100

https://supportforums.cisco.com/discussion/9713856/wpa-psk-and-mac-filtering

One more option is to implement EAP-FAST

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116580-configure-eapfast-00.html

Guide me which one is best 

Of-course 1st option is very difficult to implement and i will not recommend.

yes you can try to implement EAP-FAST.

here is my post on it:

https://rscciew.wordpress.com/2014/07/24/autonomous-ap-with-local-radius-server-eap-fast/

 

Reagrds

Don't forget to rate helpful posts

correct me if I am wrong,

Do i have to install Cisco Anyconnect Client on all the PC's if I configure EAP-FAST

Since the its mentioned in your post but not in below link (if its mandatory)

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116580-configure-eapfast-00.html

 

@Sandeep

Any comment

No its not mandatory, I don't think you need Any-connect on each client computer.

 

Regards

 

 

Than how will the user created under Radius Server Local be used or it will prompt for User/PWD after entering the WPA2 Key

We have some MAC OSx's which also needs access over the network configuring EAP-Fast 

Secondly, we need to restrict Smartphones /Tablets from accessing network which is not possible with EAP-Fast. So have to move to PEAP or EAP-TLS

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: