Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3850 WLC mac-filter doesn't work

Hi

Make mac-filter like here: https://supportforums.cisco.com/thread/2225903

username 5ce2f4235194 mac aaa attribute list test01

wlan Guest 1 Guest

client vlan 111

no exclusionlist

mac-filtering test01

no security wpa akm dot1x

security wpa akm psk set-key ascii 0 rjekv'yrflhjdsteckeub

security wpa wpa2 ciphers tkip

session-timeout 300

no shutdown

Doesn.t work :-(

Sh term mon:

*Aug  6 23:38:02.275: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS: auth request sent

*Aug  6 23:38:02.280: %IOSXE-7-PLATFORM: 1 process wcm: AAAS: AAA request failed with rc 3

*Aug  6 23:38:02.280: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS: received response, cid=930

*Aug  6 23:38:02.280: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS: deleting context, cid=930

*Aug  6 23:38:02.280: %IOSXE-7-PLATFORM: 1 process wcm: AAAS: no attributes in response

*Aug  6 23:38:02.280: %IOSXE-7-PLATFORM: 1 process wcm: AAAS: aaashimAttrListToBuffer: cannot verify buffer len

*Aug  6 23:38:02.280: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS:  Internal Error (Failure in converting attr list to buffer).

*Aug  6 23:38:02.280: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS: mac filter callback status=-4 uniqueId=4889

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS: authorization init, uid=4889, context=931

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS: initialised auth request, id=4889

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=450 len=12  : 5ce2f4235194

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm: 5CE2.F423.5194 AAAS: Submitting mac filter request for user 5ce2f4235194, uniqueId=4889 mlist=test01

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=36  len=12  : 5ce2f4235194

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=82  len=18  : f02929a91000:Guest

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=221 len=1   : 0x30 (48) '0'

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=939 len=4   : 0x00000001 (1)

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=344 len=4   : 0x0000000a (10)

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=112 len=4   : 0x00000514 (1300)

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=225 len=4   : 0x00000013 (19)

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=819 len=24  : ac1001e6520188da00001319

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=448 len=4   : 0x0000000d (13)

*Aug  6 23:38:02.300: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=440 len=4   : 0x00000006 (6)

*Aug  6 23:38:02.301: %IOSXE-7-PLATFORM: 1 process wcm:   AVP type=381 len=3   : 111

I don't get any information abount these errors in internet. Can somebody help me?

SW3850#sh ver

Cisco IOS Software, IOS-XE Software, Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 03.02.01.SE RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2013 by Cisco Systems, Inc.

Compiled Wed 20-Mar-13 17:10 by prod_rel_team

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: 3850 WLC mac-filter doesn't work

Hi

I had the same issue you have and the documentation doesn't even cover this topic, so I tried to get to the bottom of this myself.

Do a debug aaa authorization and you should see the following error:

AAA/AUTHOR (0x1A): Invalid method list id=0x0

They are caused, because the system searches for an aaa authorization list, which is not configured.

To resolve this configure the following

aaa authorization network mac-filter local

where mac-filter is the name you defined in the SSID.

Then you can define mac addresses without any delimiters as username.

username 1234567890ab mac

According to other sources metioning 3850 and mac filtering you append aaa attribute list > to the username.

I tested it successfully without this, so I wonder if this will be used in the future.

The debug should look now like this:

AAA/AUTHOR (0x22): Pick method list 'mac-filter'

And you should connect succesfully.

Regards,

Patrick

9 REPLIES
Cisco Employee

Re: 3850 WLC mac-filter doesn't work

Hello,

By doesnt work means the wlc allows unknown mac to go through or something else?

Sent from Cisco Technical Support iPhone App

New Member

3850 WLC mac-filter doesn't work

nobody has access. Nobody go through

Hall of Fame Super Gold

3850 WLC mac-filter doesn't work

Try open authentication and report back.

New Member

Re: 3850 WLC mac-filter doesn't work

How? I look through manual ... for example this:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3850/software/release/3.2_0_se/security/configuration_guide/b_sec_1501_3850_cg_chapter_01110.html

But I don't have command like "authentication open" in interface context.

I do something wrong? My be you can say where get good manual?

Or full working config with mac-filter?

3850 WLC mac-filter doesn't work

Can you do a show wireless summary please?

By default the 3850 is in MA mode.  If you don't have an upstream controller that is the MC/MO, then you need to tell the 3850 to be the MC

IIRC

conf t

wireless mobility controller

end

wr

reload

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: 3850 WLC mac-filter doesn't work

SW3850#sh run | i wireless mobility controller

wireless mobility controller

So we are in MC mode

SW3850#sh wireless summary

Access Point Summary

               Total    Up    Down

-----------------------------------

802.11a/n          0     0       0

802.11b/g/n        4     4       0

All APs            4     4       0

Client Summary

Current Clients : 1

Excluded Clients: 0

Disabled Clients: 0

New Member

Re: 3850 WLC mac-filter doesn't work

Hi

I had the same issue you have and the documentation doesn't even cover this topic, so I tried to get to the bottom of this myself.

Do a debug aaa authorization and you should see the following error:

AAA/AUTHOR (0x1A): Invalid method list id=0x0

They are caused, because the system searches for an aaa authorization list, which is not configured.

To resolve this configure the following

aaa authorization network mac-filter local

where mac-filter is the name you defined in the SSID.

Then you can define mac addresses without any delimiters as username.

username 1234567890ab mac

According to other sources metioning 3850 and mac filtering you append aaa attribute list > to the username.

I tested it successfully without this, so I wonder if this will be used in the future.

The debug should look now like this:

AAA/AUTHOR (0x22): Pick method list 'mac-filter'

And you should connect succesfully.

Regards,

Patrick

New Member

3850 WLC mac-filter doesn't work

Greate thanks!!!

New Member

Re: 3850 WLC mac-filter doesn't work

username (mac-address) mac aaa attribute list test11

wlan 3850-01 1 3850-01

client vlan 200

mac-filtering test11

no security wpa akm dot1x

security wpa akm psk set-key ascii 0 Cisco123

no shutdown

4043
Views
5
Helpful
9
Replies