I should say... per this guide:)

http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml#config-steps

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Thank you, Scott

I thought that MAC filtering is already history and the least secure method as MAC address can be easily spoofed. How would I do it?

WLC: Security -> AAA -> MAC Filtering -> MAC Filters ?

Once it is enabled then all wireless clients will be filtered as well ?

I remember reading this guide but didn't find how exactly it is done

The guide is missing what MAC address I enter in that filter and what are those certificate types, i.e. MIC, SSC, LSC

And another question that may of course sound stupid but still valid.

What about split tunneling ? Let's say I don't want to send all internet bound traffic into the CAPWAP tunnel

Take a look at this support doc... I haven't had to deploy this yet but I have tested it when it initially came out, not with newer code though:

https://supportforums.cisco.com/docs/DOC-27758

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

The OEAP 600 ethernet mac address and all your AP mac address.  Then enable or check: Authorize MIC APs against auth-list or AAA

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

The only MAC address I see on AP600 is the one on the back on the sticker. What's "all your AP mac address" ?

Didn't understand

Once you enable "Authorize MIC APs against auth-list or AAA", then all AP's that join that WLC will need to have their mac address added or else, if they bounce, get rebooted or whatever, they will fail to join.  You just need to add the mac address on the sticker.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Ok, thanks again, Scott.

Quite a lot of things to test and validate. Will update if I had progress or stumbled upon something new

Sounds good... hopefully that info helped.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

Hello Scott,

I ran into a problem while testing 801.x user authentication. The WLAN on the controller is set for 801.x under layer 2 security but when the user tries to connect to the SSID he is challenged with PSK. Weird, I remember it was working before I upgraded the controller from 7.3 code to the latest 7.6 (I did it to test split tunneling)

I don't believe it is related to the upgrade but who knows, just wanted to ask for a fresh opinion.

And by the way MAC based authentication for AP works perfect !

I would verify the WLAN setting and the AP Group if you have any created. I would also check what the uses are actually seeing.

Sent from Cisco Technical Support iPhone App