Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco WLC: Bypass Mac Filter with wpa psk

Hello my name is Ivan

I have a WLC version 7.0.116.0 and 10 LAP registered in mode local. All of them are showing 4 SSID's. I need to work using to one SSID security in layer 2 with wpa psk +mac filter.

I already configure all the mac address in the interface of users (Different to Interface Management) and I enable the security mac filter in the wlan of users, but when one users of this wlan try to authenticate, the process by pass the mac filter and the user can authenticate without problems to the wlan.

When i look the context of the configuration i see the mac, ip adress description and the interface of users correctly. Morever in the wlan is mark with a check to enable the security mac.

I write on the wlc debug client (mac of client) and i can see his process of authentication pass without any problems.

Could you give me an advice to resolv this trouble.

Thanks

Regards

Ivan

  • Other Wireless - Mobility Subjects
6 REPLIES

Cisco WLC: Bypass Mac Filter with wpa psk

Ivan,

I tested it on my lab controller and it works. Two questions for you:

  • Are you putting your MAC addresses in the MAC Filtering list?

  • Are you configuring your WLAN for MAC Filtering as indicated in the below screenshot?

Justin

New Member

Cisco WLC: Bypass Mac Filter with wpa psk

Hi Justin, thanks for your answer

That´s correct. I did it on my wlc. The users can authenticate in the wlan without any problems, but bypass the mac filter.

I understand that in mode hreap can not support mac filter, but all the access points are in  mode local.

Any advice? Perhaps an issue?

Regards

Ivan.

Cisco WLC: Bypass Mac Filter with wpa psk

Ivan,

Reading more closely, I think maybe the controller is behaving normally.

You say that you add the client to the MAC filtering list and you turn on MAC filtering for your WLAN. Then you say the client is allowed to authenticate. Am I getting that correctly? If so, that is what MAC filtering does--it allows all MAC addresses in the MAC filtering list to authenticate, i.e., the MAC filtering list is an allow list.

If you want to reject specific clients, then you need to put their MAC address in the Disabled Clients list (Security tab).

Does this help, or is it possible that I am still misunderstanding your issue?

Justin

New Member

Cisco WLC: Bypass Mac Filter with wpa psk

Hello Justyn

Thats correct, but when i see the logs of authentication to the user, i see that the wlc can not show the method of mac filter, for example

user A, method layer 2 wpa psk + mac filter, i only see wpa psk  nothing else,

Morever, when  a users that does'nt exist in the list of mac address try to authenticate in the wlan, this users pass wiithout any problems.

It tell me that the user by pass the mac filter process, and i think that the wlc does'nt work very well

Thanks for your answer

Ivan

Re: Cisco WLC: Bypass Mac Filter with wpa psk

Ivan,

Ok, that makes sense. So yes, as far as I know, the logs are not super helpful when it comes to MAC filtering pass/fail, but you will find generic messages related to MAC filter events. Filtering for MAC is a layer 2 association-level event, so if a client does not pass, you will see an SNMP log message like:

Sun Mar 18 20:23:52 2012          Client Association Failure: MACAddress: Base Radio MAC: Slot: 0 User Name:unknown IP Addr: unknown Reason:Unspecified ReasonCode: 1

If they pass, then you will see:

Sun Mar 18 20:29:05 2012          Client Association: Client MAC: Base Radio MAC : Slot: 0 User Name:unknown IP Addr: unknown

If you are not seeing these messages, make sure you have SNMP trap controls turned on for Client association and association failure events:

I have done some more testing today and I am not running into the issues that you are seeing. In my setup, named clients can associate and unlisted clients are failing to associate. At this point I would recommend that you try upgrading your code to 7.0.220.0 or higher. My testing was done on 7.0.220.0.

Justin

Re: Cisco WLC: Bypass Mac Filter with wpa psk

Ivan,

Did you figure out the issue?

I discovered a command today that will allow you to show if MAC filtering is globally enabled on the WLC.

Try running this command on the CLI:

(wlc) >show advanced macfiltering

Authentication................................... enabled

Skip RADIUS (query only the local db)............ disabled

You can turn it on or off with

(wlc) >config advanced macfiltering ...

Maybe your configuration is different than above somehow?

Justin

2289
Views
0
Helpful
6
Replies
This widget could not be displayed.