I have a wlan configured on my 5508 with WPA2/802.1x, and I have my radius server's configured to accept connections from clients using EAP-TLS certificates. This is working well.
I do however have a couple of devices that do not support EAP-TLS, and some that just don't support any 802.1x configuration. I enabled mac filtering on the SSID, and expected it to use 802.1x if applicable, and if it fails, then use mac filtering and present the mac address as the username and password to the radius server for authentication.
Is this not how it works?
What I found that happened is it only wanted to use mac filtering for authentication, and not EAP-TLS.
You have to add MAC addresses for devices that does not support EAP only. You don't have to add MAC addresses for all devices.
The scenario maldehne is describing is never tested by me personally. in switch port dot1x authentication, it will go for MAB after dot1x authentication not working. (i.e. after EAP it then tries the MAB). I am still a little bit confused about MAC authentication enabled with a dot1x WLAN. I understand that the client must support EAP and its MAC must be in the RADIUS well. However, maldehne; the TAC engineer is saying that's not the case.
If I were you I would try to put two different rules in the radius server; one for EAP and one for MAC auth. first one should be EAP. the devices that do not initiate EAP will not match first rule and will go for the second rule which is the MAC auth. (not sure how that is applicable with freeradius. another test can also be to collect all MAC addresses that do not support EAP and add them to a radius rule where it checks the MAC list and if its within the list it just send access-accept, if not it will direct it for normal EAP authentication.)
note that most of the trick is done on the radius server, not on the WLC.
Rating useful replies is more useful than saying "Thank you"
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...