Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

wpa 2 with mac address authentication

Hi all,

At the moment we running IOS based AP's with "encryption mode ciphers aes-ccm tkip wep128" Together with this I am running MAC address authentication back to my ACS servers.

This works very well, however and auditor picked up the word "wep" and thats "insecure"

I dont want to lose the MAC authentication back to the ACS servers, but I am looking at a better for the encryption to work.

WPA would be a good way to go.

Now the only way that I know off to get MAC authentication working with WPA is my having a local acl ie something like this

dot11 association mac-list 700

dot11 syslog

dot11 ssid myssid

authentication open

authentication key-management wpa version 2


wpa-psk ascii 7 <key>

encryption mode ciphers aes-ccm

access-list 700 permit <MAC-address>   0000.0000.0000

access-list 700 deny   0000.0000.0000   ffff.ffff.ffff

username <MAC-address> password 7 <password>

username <MAC-address> autocommand exit

Any ideas how I can keep my MAC authentication on my ACS servers with a more secure way for the

encryption to work? - I am open for idea's


wpa 2 with mac address authentication

If you are just using a PSK this is true.  I beleive, how ever, that if you are using an EAP type you can still do mac authentication with WPA/WPA2.


HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: wpa 2 with mac address authentication

Would you have a sample config / document that can help with setting this up?

I get something like "Error : Both EAP and WPA-PSK cannot be configured on same ssid.To configure WPA-PSK disable EAP"

Re: wpa 2 with mac address authentication

The clients that connect to this SSID, what security mechanism they use to connect?

only wep?

Rating useful replies is more useful than saying "Thank you"
New Member

Re: wpa 2 with mac address authentication

Right now yes, but I need to move it over to WPA.

Problem is WPA and Mac address does not work together, unless it's on a acl.

I tried moving to leap / peap, but my acs is auth service does not start once I enable that.

Did some reading on that, it seems like its a bug once Windows is updated. I have confirmed this by doing a clean windows install no patches. That works. - However, I can't have a unpatch server.

I am contemplating running wpa with the local acl.

But first class would be to have that on the ACS server - talk about a catch 22.

CreatePlease to create content