Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

WLC MAC Filtering



One thing I am confused is if I set MAC filtering on a WLC but do not populate with any MAC addresses will it block all MAC addresses or allow all?


Anyone can advise on this or please share information?






Hello Kaushik,When you have

Hello Kaushik,

When you have enabled the MAC filtering and a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the local database on the WLC, and when the database on the WLC is empty, I believe the client will not be granted access to the network.

For more details about MAC Filtering in WLC, please follow the following link:

Hope that helps.

Thanks for the feedback Moin

Thanks for the feedback Moin,

Just a comment/question (I am sorry if I am breaking in the conversation).

I am using 2 WLANs, one with Security WPA+WPA2 and one with MAC Filtering, while in both WLANs the users join - in with accounts that I have created (manually for now...) on ISE.

I have just observed that on WLC under clients menu, the users that have joined in the WLAN with the MAC authentication are listed with the MAC addresses of their devices and not with their username (like on the WPA+WPA2 WLAN)


Is there a way to find the username (client) that is logged in a specific MAC aunthenticated device? This is will quite useful for monitoring of users (and services)


Many thanks in advance for your response,



Cisco Employee

When the database is empty

When the database is empty then it will block all:

MAC Address Filter (MAC Authentication) on WLCs

When you create a MAC address filter on WLCs, users are granted or denied access to the WLAN network based on the MAC address of the client they use.

There are two types of MAC authentication that are supported on WLCs:

  • Local MAC authentication

  • MAC authentication using a RADIUS server

With local MAC authentication, user MAC addresses are stored in a database on the WLC. When a user tries to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the local database on the WLC, and the client is granted access to the WLAN if the authentication is successful.

By default, the WLC local database supports up to 512 user entries.

The local user database is limited to a maximum of 2048 entries. The local database stores entries for these items:

  • Local management users, which includes lobby ambassadors

  • Local network users, which includes guest users

  • MAC filter entries

  • Exclusion list entries

  • Access point authorization list entries

Together, all of these types of users cannot exceed the configured database size.

In order to increase the local database, use this command from the CLI:

<Cisco Controller>config database size ?
<count>        Enter the maximum number of entries (512-2048)

Alternatively, MAC address authentication can also be performed using a RADIUS server. The only difference is that the users MAC address database is stored in the RADIUS server instead of the WLC. When a user database is stored on a RADIUS server the WLC forwards the MAC address of the client to the RADIUS server for client validation. Then, the RADIUS server validates the MAC address based on the database it has. If the client authentication is successful, the client is granted access to the WLAN. Any RADIUS server which supports MAC address authentication can be used.

Please refer to the

Please refer to the configuration guide-

CreatePlease to create content