Cisco Support Community
Cisco Employee

MAC filtering with ACS - causing a ton of authentication attempts

Hi Experts,

We are doing MAC filtering on an open SSID (no layer 2 security).  There are currently about 1200 MAC addresses defined in the filter list but due to scalability reasons, we moved the list of MAC addresses to the ACS authentication server.

The problem is when RADIUS servers is enabled for this open SSID, not only do the authorized clients authenticate against the RADIUS server, but so do all the unauthorized clients, who are not part of the MAC filter list. Since it is an open SSID, anybody with a smart phone tries connecting. This generates, literally MILLIONS of authentication attempts to the ACS servers, with the resulting log files. Clients are authenticating 3 to 4 times each second, all day long.

An attempt was made to enable the client exclusion feature on the SSID, to put clients into a temporary exclusion state, so that they don't overwhelm the authentication servers.  However, we have been told that this mechanism doesn't work, due to some internal timers within the controller.

Is there any way we can perform the MAC-based authentication against our ACS servers, without overwhelming them with millions of unauthorized authentication attempts?

Thanks for any suggestions. Much appreciated.

CreatePlease to create content