;)
Sunday
Dec272009
Configure Local MAC Authentication on Cisco WLCs
Sunday, December 27, 2009 at 3:58AM 
Mac filtering was popular back when WEP was the only means of wireless security. Mac filtering added an additional layer of authentication by validating the wireless NIC mac address prior to authenticating to a wireless network. Although, mac filtering is still used today, it is a management burden for larger deployments and it is very easy for a hacker to spoof the mac address with a sniffer since the mac is sent in the clear.
What you need know about local authentication on the Cisco WLC. By default, the WLC local database
supports 512 entries and can be configured up to a total of 2048 max entries. This is a hard limitation and can not be exceeded unless you use a Radius server for MAC authentication.
LOCAL WLC DATABASE
The local user database is limited to a maximum of 2048 entries and is set to a default value of 512 entries.
The local database stores entries for these items:
•MAC filters (clients)
•AP MIC/SSC (AP authorization list)
•Dynamic Interfaces
•Management users
•Local net users
•Excluded Clients
Together, ALL of these types of entries CANNOT exceed the configured database size.
In order to increase the local database to 2048, use this command from the CLI:
(Cisco Controller)Config database size ?
<count> Enter the maximum number of entries (512-2048)
SHOW DATABASE SUMMARY
This command will display the size of the database and current number of entries.
(Cisco Controller) >show database summary
Current Max database entries..................... 512 <--- Default database size
Max database entries on next reboot.............. 512
Current number of entries used................... 5 <--- This is 3 user accounts and 2 dynamic interfaces
CONFIG MACFILTER IN LOCAL WLC DATABASE
The macfilter and WLAN ID are requirements
config <macfilter> <WLAN ID> [interface_name] [description] [IP address]
These commands are optional and are not a requirement
[interface_name] [description] [IP address]
(Cisco Controller) >config macfilter add 00:21:6A:11:A8:AA 2
ENABLE MACFILTERING ON WLAN
(Cisco Controller) >config wlan mac-filtering enable 2
SHOW MACFILTER SUMMARY
(Cisco Controller) >show macfilter summary
MAC Filter RADIUS Compatibility mode............. Cisco ACS
MAC Filter Delimiter............................. None
Local Mac Filter Table
MAC Address WLAN Id IP Addr Description
----------------------- -------------- --------------- --------------------------------
00:21:6a:11:a8:aa 2 unknown
SHOW MACFILTER DETAIL
(Cisco Controller) >show macfilter detail 00:21:6a:11:a8:aa
MAC Address...................................... 00:21:6a:11:a8:aa
WLAN Identifier.................................. 2
Interface Name...................................
IP Address....................................... unknown
Description......................................
MAP MAC ADDRESS TO IP ADDRESS
The config macfilter ip-address command lets you map an existing MAC-filter to an IP address. Use this command in order to configure an IP address into the local MAC filter database:
Config <macfilter> <WLAN ID> [interface_name] [description] [IP address]
(Cisco Controller) >config macfilter add 00:21:6A:11:A8:AA 2 interface "description" 192.168.1.10
Note: <description> Enter optional description (up to 32 characters) within double quotes
Reader Comments