MAC Filtering

MAC Filtering

You can configure the controller to authorize clients based on the client MAC address by using the MAC filtering feature.

When MAC filtering is enabled, the controller uses the MAC address as the client identity. The authentication server has a database of client MAC addresses that are allowed network access. The controller sends the authentication server a RADIUS-access/request frame with a username and password based on the client MAC address as soon as it gets the association request from the client. If authorization succeeds, the controller sends a successful association response to the client. If authorization fails, the controller rejects the client association.

Clients that were authorized with MAC filtering can be re-authenticated through the WLAN session timeout feature.

MAC Filtering Configuration Guidelines

  • MAC filtering authentication occurs at the 802.11 association phase and delays the association response until authentication is done. If you use a RADIUS server for MAC filtering, it is advised to keep a low latency between the controller and the RADIUS server. When latency is too high, the client might timeout while waiting for the association response.

  • MAC filtering can be combined with other authentication methods such as 802.1X, Pre-Shared Key or it can be used alone.

  • MAC addresses can be spoofed and MAC filtering does not consist in a security measure.

  • Many clients can use a private MAC address to connect and change it at every session, therefore making it harder to identify devices through their MAC address.


Note


If wlan-profile-name is configured for a user, guest user authentication is allowed only from that WLAN.

If wlan-profile-name is not configured for a user, guest user authentication is allowed on any WLAN.


The AP fails to join the controller due to an authentication rejection on the RADIUS server. The failure occurs on the Cisco Catalyst 9800 controller, only when the RADIUS server is configured to authenticate the APs with method MAB as endpoints. The reason is that the RADIUS calling-station-id attribute is required for MAB authentication and is not present within the access request packet during the AP join. The workaround is to use a different AP authentication method than MAB as endpoints such as PAP-ASCII using a username and a password.

If you want the client to connect to SSID1, but not to SSID2 using mac-filtering, ensure that you configure aaa-override in the policy profile.

In the following example, when a client with MAC address 1122.3344.0001 tries to connect to a WLAN, the request is sent to the local RADIUS server, which checks the presence of the client MAC address in its attribute list (FILTER_1 and FILTER_2). If the client MAC address is listed in an attribute list (FILTER_1), the client is allowed to join the WLAN (WLAN_1) that is returned as ssid attribute from the RADIUS server. The client is rejected, if the client MAC address is not listed in the attribute list.

Local RADIUS Server Configuration

!Configures an attribute list as FILTER_2
aaa attribute list FILTER_2
!Defines an attribute type that is to be added to an attribute list.
attribute type ssid "WLAN_2"
 
!Username with the MAC address is added to the filter
username 1122.3344.0001 mac aaa attribute list FILTER_2
 
!
aaa attribute list FILTER_1
attribute type ssid "WLAN_1"
username 112233440001 aaa attribute list FILTER_1

Controller Configuration

! Sets authorization to the local radius server
aaa authorization network MLIST_MACFILTER local
 
!A WLAN with the SSID WLAN_2 is created and MAC filtering is set along with security
parameters.
wlan WLAN_2 2 WLAN_2
mac-filtering MLIST_MACFILTER
no security wpa
no security wpa wpa2 ciphers

!WLAN with the SSID WLAN_1 is created and MAC filtering is set along with security parameters.
wlan WLAN_1 1 WLAN_1
mac-filtering MLIST_MACFILTER
no security wpa
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list WEBAUTH
 
! Policy profile to be associated with the above WLANs
wireless profile policy MAC_FILTER_POLICY
aaa-override
vlan 504
no shutdown

Configuring MAC Filtering for Local Authentication (CLI)

Follow the procedure given below to configure MAB for local authentication.

Before you begin

Configure AAA local authentication.

Configure the username for WLAN configuration (local authentication) using username mac-address mac command.


Note


The mac-address must be in the following format: abcdabcdabcd


Procedure

  Command or Action Purpose

Step 1

wlan profile-name wlan-id

Example:

wlan CR1_SSID_mab-local-default 1 CR1_SSID_mab-local-default

Specifies the WLAN name and ID.

Step 2

mac-filtering default

Example:

Device(config-wlan)# mac-filtering default

Sets MAC filtering support for the WLAN.

Step 3

no security wpa

Example:

Device(config-wlan)# no security wpa

Disables WPA secuirty.

Step 4

no security wpa akm dot1x

Example:

Device(config-wlan)# no security wpa akm dot1x

Disables security AKM for dot1x.

Step 5

no security wpa wpa2

Example:

Device(config-wlan)# no security wpa wpa2

Disables WPA2 security.

Step 6

no security wpa wpa2 ciphers aes

Example:

Device(config-wlan)# no security wpa wpa2 ciphers aes

Disables WPA2 ciphers for AES.

Step 7

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.

Configuring MAC Filtering (GUI)

Before you begin

Configure AAA external authentication.

Procedure


Step 1

Choose Configuration > Wireless > WLANs.

Step 2

On the Wireless Networks page, click the name of the WLAN.

Step 3

In the Edit WLAN window, click the Security tab.

Step 4

In the Layer2 tab, check the MAC Filtering check box to enable the feature.

Step 5

With MAC Filtering enabled, choose the Authorization List from the drop-down list.

Step 6

Save the configuration.


Configuring MAB for External Authentication (CLI)

Follow the procedure given below to configure MAB for external authentication.

Before you begin

Configure AAA external authentication.

Procedure

  Command or Action Purpose

Step 1

wlan wlan-name wlan-id ssid-name

Example:

wlan CR1_SSID_mab-ext-radius 3 CR1_SSID_mab-ext-radius

Specifies the WLAN name and ID.

Step 2

mac-filtering list-name

Example:

Device(config-wlan)# mac-filtering ewlc-radius

Sets the MAC filtering parameters. Here, ewlc-radius is an example for the list-name

Step 3

no security wpa

Example:

Device(config-wlan)# no security wpa

Disables WPA secuirty.

Step 4

no security wpa akm dot1x

Example:

Device(config-wlan)# no security wpa akm dot1x

Disables security AKM for dot1x.

Step 5

no security wpa wpa2

Example:

Device(config-wlan)# no security wpa wpa2

Disables WPA2 security.

Step 6

mab request format attribute {1 groupsize size separator separator [lowercase | uppercase] | 2 {0 | 7 | LINE} LINE password | 32 vlan access-vlan}

Example:

Device(config)# mab request format attribute 1 groupsize 4 separator

Optional. Configures the delimiter while using MAC filtering in a WLAN.

Here,

1 - Specifies the username format used for MAB requests.

groupsize size - Specifies the number of hex digits per group. The valid values range from 1 to 12.

separator separator - Specifies how to separate groups. The separators are comma, semicolon, and full stop.

lowercase - Specifies the username in lowercase format.

uppercase - Specifies the username in uppercase format.

2 - Specifies the global password used for all the MAB requests.

0 - Specifies the unencrypted password.

7 - Specifies the hidden password.

LINE - Specifies the encrypted or unencrypted password.

password - LINE password.

32 - Specifies the NAS-Identifier attribute.

vlan - Specifies a VLAN.

access-vlan - Specifies the configured access VLAN.

Step 7

no security wpa wpa2 ciphers aes

Example:

Device(config-wlan)# no security wpa wpa2 ciphers aes

Disables WPA2 ciphers for AES.

Step 8

no shutdown

Example:

Device(config-wlan)# no shutdown

Enables the WLAN.