Cisco Support Community
Community Member

MAC Address Authentication on AP801AGN-E-K9


I've been having some trouble getting MAC Address Authentication to work on a Cisco AP801AGN-E-K9 when using the access point as a local authenticator for up to 50 clients.

Here is my configuration in it's working state:

aaa new-model

aa group server radius 2

  server-private auth-port 1812 acct-port 1813 key 7 01202327692E324E

aaa authentication login 1 group 2

dot11 ssid VLAN20  

  vlan 20  

  authentication open mac-address 1 alternate eap 1  

  authentication key-management wpa version 2  

  mbssid guest-mode

radius-server local  

  nas key 7 01202327692E324E  

  user me password me

And I am able to connect (with full IP Connectivity) to the SSID called VLAN20 using WPA2 Enterprise with the username me and the password me if I select LEAP as the 802.1x Authentication method on the client.

However when I add "user f0b47916ce1f password f0b47916ce1f mac-auth-only" under my local radius server, I can no longer establish IP Connecitivity. I've tried a few different clients to no avail.

On the access point I see this:

*Mar  1 02:22:34.343: RADIUS(000000EA): Send Access-Request to id 1645/234, len 126

*Mar  1 02:22:34.343: RADIUS:  authenticator 7A 5E 53 68 CE CC BA 98 - 63 47 62 CE 6F 11 BA 0C

*Mar  1 02:22:34.343: RADIUS:  User-Name          [1]  14  "f0b47916ce1f"

*Mar  1 02:22:34.343: RADIUS:  User-Password      [2]  18  *

*Mar  1 02:22:34.343: RADIUS:  Called-Station-Id  [30]  29  "28-94-0F-75-38-C2:VLAN20"

*Mar  1 02:22:34.343: RADIUS:  Calling-Station-Id  [31]  16  "f0b4.7916.ce1f"


*Mar  1 02:24:29.967: RADIUS: Received from id 1645/234, Access-Accept, len 116

shortly followed with "*Mar  1 02:25:35.059: %DOT11-7-AUTH_FAILED: Station f0b4.7916.ce1f Authentication failed".

Which looks like the client is not sending the password as it's mac address, should it be? however it does seem to know to send the username as it's mac address (previously this was "me").

If I remove the user with this laptops mac address, I can connect again with the username "me". But I would like to try this out with mac addresses as well since the RADIUS server will be in a central location by the end.

Anyone else had experience configuring this? or had this problem before? I've read over the same few PDFs on the cisco website and can't see where i'm going wrong!

Thanks in advance for any suggestsion!

Hall of Fame Super Silver

Re: MAC Address Authentication on AP801AGN-E-K9

Leap username and password is different from Mac filter. Try to just user leap with the MAC address.

user f0b47916ce1f password f0b47916ce1f

You have to setup the client to pass that username and password.

Sent from Cisco Technical Support iPhone App

*** Please rate helpful posts ***
Community Member

MAC Address Authentication on AP801AGN-E-K9

Ok i've tried removing "mac-auth-only" from the end as suggested, still getting the same results unfortuantely :/

Thanks for the suggestion though.

This AP doesn't seem to have a proper web interface, perhaps soemone with a dedicated Aironet AP could set this up from the web interface and post what CLI commands were generated into the running-config.

Community Member

MAC Address Authentication on AP801AGN-E-K9

interestingly I've moved over to a dedicated RADIUS server instead of the one built into IOS and I get the same problem - LEAP Authentication works fine but MAC does not.

MAC Address Authentication on AP801AGN-E-K9

Jonathan: are you still having the issue? have you found a solution for it?

I am not srue but as I can see the calling station ID is f0b4.7916.ce1f, maybe you need to use the username with the same format (with dot separator).



Rating useful replies is more useful than saying "Thank you"

Rating useful replies is more useful than saying "Thank you"
Community Member

Re: MAC Address Authentication on AP801AGN-E-K9

Hi there,

I did try this but I don't think I putthe mac address in that format, so i'll try that agian.

However my understanding was that the client attempting to associate should send this automatically before prompting for a username and password ?

P.S. I have a workaround by doing the mac filtering on the switch port which the AP is connected to, but would like to have done it on the AP if possible for neetness.

Community Member

MAC Address Authentication on AP801AGN-E-K9

According to you, are using the ap in standalone mode where I was trying to search for the model but could not find the same.

Yes, I seen  the same model compatible with controller. If it is used in controller based sure it should work mac authentication.

•1.    Release Notes for Cisco Wireless LAN Controllers and Lightweight ...

e. Choose the non-LDPE software release: AIR-X-K9-X-X.X.aes .... Symptom: An AP801AGN successfully joins a Cisco 2500 Series Wireless LAN Controller ...

CreatePlease to create content