Cisco AP 1130AG mac filter + Radius authentication

Posted on 2009-12-29
Last Modified: 2013-11-12
Hello,  I was wondering if it was possible to do both mac filtering and radius authentication on a Cisco AP 1130AG.  I currently have Radius Authentication going to a Cisco ACS server and it is working just fine.  It uses an Agent on a Windows Domain Server for login credentials.  My issue is we are needing to redirect logging from the APs to a SIM event correlating server to let me know when there are attempts at logging into our APs.  I have already set the logging to point to the internal SIM event correlator using the following command:
But the SIM server tech people said that I need to create a MAC filter on the AP for it to get an invalid connection attempt to have a log entry triggered.  Do I have to do that on the ACS server or can it be done on the AP at the same time its using Radius authentication.  I already called Cisco TAC but the guy couldn't understand my question.  
Question by:Truity Credit Union
    LVL 57

    Expert Comment

    Is this for testing?  Why wouldn't attempting to log-in with a bad user-id or password be logged to the SIM?

    I don't think you can have two concurrent log-in authentication methods at the same time.  To do MAC filtering what really happens on the AP is that it is setup with internal user authentication and the user-id and password is the MAC on the wireless adapter.


    Author Comment

    by:Truity Credit Union
    So if there was an attempt at login to the AP regardless, it should go ahead and log to the AP, then redirect the log entry to the event correlator server?  It doesn't forward all attempts to the ACS Radius server?  I'm not an expert on authentication.

    That would be great if it just redirected anything logon related failed or successful, that way the SIM could create a filter for reporting on all failed attempts.  I guess I could do that from the ACS but it didn't appear in the ACS logs any failed attempts for anything but valid Active Directory users.  I need failed, but I might just not have any failed attempts to look at.  I'm not at the location to test.

    Thanks for the response!

    LVL 57

    Accepted Solution

    Have you setup the ACS to forward events to the SIM?  If this is what is doing the authentication, this is what must forward anything (goods, bads, or good and bads) to the SIM.

    Now to tell the truth I can't remember if the ACS can forward to a syslog server, I would have to check the one at my work.  I'm on vacation right now so it may be a few hours before I can get into our system to see.  However, the ACS does create a failed log.  But I am guessing that your "SIM" people would like to have the log.

    Maybe I was not clear (which happens a lot).  The only way the AP will forward authentication attempts to the SIM is if it (the AP) is doing the authentication itself.  Which in your case it is not.  It is forwarding the authentication to a "RADIUS" server, your ACS.

    Author Comment

    by:Truity Credit Union
    ACS has a setting for logging to syslog servers - for different types - failed attempts, passed authentication, radius accounting.  Sounds like I do not need to point my APs to the SIM but just the ACS, and I should be good to go?  I will give that a try.

    LVL 20

    Expert Comment

    by:Jakob Digranes
    I haven't used the Ciscos with other Radius than Windows IAS, nor do i have one up and running here to check for MAC filtering + user authentication at the same time.
    But i'm working mostly with Aruba at the moment, and there you can stage logons with different types of authentication. i.e. At first the station is authenticated based on MAC to give a certain role, perhaps internet access, and if the correct user is logged on - via Radius - you can have LAN access. (not saying it would be a good solution ...)

    When you think of it - how would you maintain and support MAC-filtering? It's probarbly the worst kind of access control in WiFi environments -> the biggest amount of manual overhead to deploy and maintain, and - given a large number of computers; the easiest access control to bypass.

    btw - are the APs stand-alone or in a controllerbased environment?

    and, as you already concluded earlier in the thread, the authentication success/failure is done at Radius not AP.


    Author Comment

    by:Truity Credit Union
    only reason is for sending events to syslog server for first line detection of unauthorized connection attempts.  if that can be done at the ACS, then that is what I will probably need to do.  

    thanks for all the posts!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    MAC Filtering: MAC filtering is like handing a list of names to a doorman. If someone comes to the door and mentions a name, this name is checked by the doorman on his list and granted or denied access by this. This means that if someone menti…
    Last Mile Wireless The term last mile wireless is a bit deceptive as it can be much more than a mile. It is also called WiMax and 802.16. It generally refers to relatively short distance point-to-point / point-to-multipoint secure wireless connecti…
    This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now