Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

local radius + mac-filter ?

Hi all,

could someone tell me how to configure a local radius plus mac-filter?

The config with the local radius is running perfekt, but I dont't know how to configure a filter addition ?

any ideas are welcome

Carsten

1 ACCEPTED SOLUTION

Accepted Solutions

Re: local radius + mac-filter ?

yes, you can do that, but you don't actually need those two first "authentication" commands. These two:

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

will overwrite these two:

authentication open eap EAP_LOCAL

authentication network-eap EAP_LOCAL

so you'll just be left with:

dot11 ssid wlan-ap

authentication key-management wpa

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.

You can also do local AP RADIUS authentication for this too ("radius-server local")

By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!

4 REPLIES
Hall of Fame Super Red

Re: local radius + mac-filter ?

Re: local radius + mac-filter ?

aaa authentication login mac_methods group rad_eap

!

dot11 ssid wlan-ap

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

and then just add users to your RADIUS server. If your mac-address is 010203040506, then add account:

user: 010203040506

password: 010203040506

Community Member

Re: local radius + mac-filter ?

Is it correct to put it in like this

dot11 ssid wlan-ap

authentication open eap EAP_LOCAL

authentication network-eap EAP_LOCAL

authentication key-management wpa

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

and put the user and mac-addresses to the local radius-server ?

or isn`t it better to config a mac-filter with

access-list 700 ...

and put it on :

dot11 association access-list 700

Re: local radius + mac-filter ?

yes, you can do that, but you don't actually need those two first "authentication" commands. These two:

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

will overwrite these two:

authentication open eap EAP_LOCAL

authentication network-eap EAP_LOCAL

so you'll just be left with:

dot11 ssid wlan-ap

authentication key-management wpa

authentication open mac-address mac_methods eap EAP_LOCAL

authentication network-eap EAP_LOCAL mac-address mac_methods

Yes, you can also use "dot11 association", but you'd have to keep track of your access-list 700 on each access-point independently for each client. With RADIUS-based MAC authentication you will have a centralized mac address database on the RADIUS server.

You can also do local AP RADIUS authentication for this too ("radius-server local")

By the way, it is recommended to use two separate RADIUS servers for EAP and for MAC authentication. For example, ACS for EAP and LOCAL for MAC. The problem with using the same RADIUS server is that a user can now do EAP authentication by supplying WLAN NIC's MAC address as username and password and both EAP and MAC auth will pass!!

735
Views
0
Helpful
4
Replies
CreatePlease to create content