You can configure the controller to authorize clients based on the client MAC address by using the MAC filtering feature.
When MAC filtering is enabled, the controller uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. The controller sends the authentication server a RADIUS-access/request frame with a username and password based on the client MAC address as soon as it gets the association request from the client. If authorization succeeds, the controller sends a successful association response to the client. If authorization fails, the controller rejects the client association.
Clients that were authorized with MAC filtering can be re-authenticated through the WLAN session timeout feature.
MAC Filtering Configuration Guidelines
MAC filtering authentication occurs at the 802.11 association phase and delays the association response until authentication is done. If you use a RADIUS server for MAC filtering, it is advised to keep a low latency between the controller and the RADIUS server. When latency is too high, the client might timeout while waiting for the association response.
MAC filtering can be combined with other authentication methods such as 802.1X, Pre-Shared Key or it can be used alone.
MAC addresses can be spoofed and MAC filtering does not consist in a security measure.
Many clients can use a private MAC address to connect and change it at every session, therefore making it harder to identify devices through their MAC address.
If wlan-profile-name is configured for a user, guest user authentication is allowed only from that WLAN.
If wlan-profile-name is not configured for a user, guest user authentication is allowed on any WLAN.
The AP fails to join the controller due to an authentication rejection on the RADIUS server. The failure occurs on the Cisco Catalyst 9800 controller, only when the RADIUS server is configured to authenticate the APs with method MAB as endpoints. The reason is that the RADIUS calling-station-id attribute is required for MAB authentication and is not present within the access request packet during the AP join. The workaround is to use a different AP authentication method than MAB as endpoints such as PAP-ASCII using a username and a password.
If you want the client to connect to SSID1, but not to SSID2 using mac-filtering, ensure that you configure aaa-override in the policy profile.
In the following example, when a client with MAC address 1122.3344.0001 tries to connect to a WLAN, the request is sent to the local RADIUS server, which checks the presence of the client MAC address in its attribute list (FILTER_1 and FILTER_2). If the client MAC address is listed in an attribute list (FILTER_1), the client is allowed to join the WLAN (WLAN_1) that is returned as ssid attribute from the RADIUS server. The client is rejected, if the client MAC address is not listed in the attribute list.
Local RADIUS Server Configuration
!Configures an attribute list as FILTER_2
aaa attribute list FILTER_2
!Defines an attribute type that is to be added to an attribute list.
attribute type ssid "WLAN_2"
!Username with the MAC address is added to the filter
username 1122.3344.0002 mac aaa attribute list FILTER_2
aaa attribute list FILTER_1
attribute type ssid "WLAN_1"
username 1122.3344.0001 mac aaa attribute list FILTER_1
! Sets authorization to the local radius server
aaa authorization network MLIST_MACFILTER local
!A WLAN with the SSID WLAN_2 is created and MAC filtering is set along with security
wlan WLAN_2 2 WLAN_2
no security wpa
no security wpa wpa2 ciphers
!WLAN with the SSID WLAN_1 is created and MAC filtering is set along with security parameters.
wlan WLAN_1 1 WLAN_1
no security wpa
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth authentication-list WEBAUTH
! Policy profile to be associated with the above WLANs
wireless profile policy MAC_FILTER_POLICY