Cisco Cisco Wireless LAN Controller Module Dépliant
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
MAC Address Filter (MAC Authentication) on WLCs
When you create a MAC address filter on WLCs, users are granted or denied access to the WLAN network
based on the MAC address of the client they use.
based on the MAC address of the client they use.
There are two types of MAC authentication that are supported on WLCs:
Local MAC authentication
•
MAC authentication using a RADIUS server
•
With local MAC authentication, user MAC addresses are stored in a database on the WLC. When a user tries
to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the
local database on the WLC, and the client is granted access to the WLAN if the authentication is successful.
to access the WLAN that is configured for MAC filtering, the client MAC address is validated against the
local database on the WLC, and the client is granted access to the WLAN if the authentication is successful.
By default, the WLC local database supports up to 512 user entries.
The local user database is limited to a maximum of 2048 entries. The local database stores entries for these
items:
items:
Local management users, which includes lobby ambassadors
•
Local network users, which includes guest users
•
MAC filter entries
•
Exclusion list entries
•
Access point authorization list entries
•
Together, all of these types of users cannot exceed the configured database size.
In order to increase the local database, use this command from the CLI:
<Cisco Controller>config database size ?
<count> Enter the maximum number of entries (512−2048)
Alternatively, MAC address authentication can also be performed using a RADIUS server. The only
difference is that the users MAC address database is stored in the RADIUS server instead of the WLC. When
a user database is stored on a RADIUS server the WLC forwards the MAC address of the client to the
RADIUS server for client validation. Then, the RADIUS server validates the MAC address based on the
database it has. If the client authentication is successful, the client is granted access to the WLAN. Any
RADIUS server which supports MAC address authentication can be used.
difference is that the users MAC address database is stored in the RADIUS server instead of the WLC. When
a user database is stored on a RADIUS server the WLC forwards the MAC address of the client to the
RADIUS server for client validation. Then, the RADIUS server validates the MAC address based on the
database it has. If the client authentication is successful, the client is granted access to the WLAN. Any
RADIUS server which supports MAC address authentication can be used.
Configure Local MAC Authentication on WLCs
Complete these steps in order to configure local MAC authentication on the WLCs:
Configure a WLAN and Enable MAC Filtering
1.
Configure the Local Database on the WLC with Client MAC Addresses
2.