Cisco AP 1130AG mac filter + Radius authentication

Posted on 2009-12-29
Medium Priority
Last Modified: 2013-11-12
Hello,  I was wondering if it was possible to do both mac filtering and radius authentication on a Cisco AP 1130AG.  I currently have Radius Authentication going to a Cisco ACS server and it is working just fine.  It uses an Agent on a Windows Domain Server for login credentials.  My issue is we are needing to redirect logging from the APs to a SIM event correlating server to let me know when there are attempts at logging into our APs.  I have already set the logging to point to the internal SIM event correlator using the following command:
But the SIM server tech people said that I need to create a MAC filter on the AP for it to get an invalid connection attempt to have a log entry triggered.  Do I have to do that on the ACS server or can it be done on the AP at the same time its using Radius authentication.  I already called Cisco TAC but the guy couldn't understand my question.  
Question by:Truity Credit Union
  • 3
  • 2
LVL 57

Expert Comment

ID: 26141515
Is this for testing?  Why wouldn't attempting to log-in with a bad user-id or password be logged to the SIM?

I don't think you can have two concurrent log-in authentication methods at the same time.  To do MAC filtering what really happens on the AP is that it is setup with internal user authentication and the user-id and password is the MAC on the wireless adapter.


Author Comment

by:Truity Credit Union
ID: 26141564
So if there was an attempt at login to the AP regardless, it should go ahead and log to the AP, then redirect the log entry to the event correlator server?  It doesn't forward all attempts to the ACS Radius server?  I'm not an expert on authentication.

That would be great if it just redirected anything logon related failed or successful, that way the SIM could create a filter for reporting on all failed attempts.  I guess I could do that from the ACS but it didn't appear in the ACS logs any failed attempts for anything but valid Active Directory users.  I need failed, but I might just not have any failed attempts to look at.  I'm not at the location to test.

Thanks for the response!

LVL 57

Accepted Solution

giltjr earned 2000 total points
ID: 26141628
Have you setup the ACS to forward events to the SIM?  If this is what is doing the authentication, this is what must forward anything (goods, bads, or good and bads) to the SIM.

Now to tell the truth I can't remember if the ACS can forward to a syslog server, I would have to check the one at my work.  I'm on vacation right now so it may be a few hours before I can get into our system to see.  However, the ACS does create a failed log.  But I am guessing that your "SIM" people would like to have the log.

Maybe I was not clear (which happens a lot).  The only way the AP will forward authentication attempts to the SIM is if it (the AP) is doing the authentication itself.  Which in your case it is not.  It is forwarding the authentication to a "RADIUS" server, your ACS.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


Author Comment

by:Truity Credit Union
ID: 26141692
ACS has a setting for logging to syslog servers - for different types - failed attempts, passed authentication, radius accounting.  Sounds like I do not need to point my APs to the SIM but just the ACS, and I should be good to go?  I will give that a try.

LVL 22

Expert Comment

by:Jakob Digranes
ID: 26141857
I haven't used the Ciscos with other Radius than Windows IAS, nor do i have one up and running here to check for MAC filtering + user authentication at the same time.
But i'm working mostly with Aruba at the moment, and there you can stage logons with different types of authentication. i.e. At first the station is authenticated based on MAC to give a certain role, perhaps internet access, and if the correct user is logged on - via Radius - you can have LAN access. (not saying it would be a good solution ...)

When you think of it - how would you maintain and support MAC-filtering? It's probarbly the worst kind of access control in WiFi environments -> the biggest amount of manual overhead to deploy and maintain, and - given a large number of computers; the easiest access control to bypass.

btw - are the APs stand-alone or in a controllerbased environment?

and, as you already concluded earlier in the thread, the authentication success/failure is done at Radius not AP.


Author Comment

by:Truity Credit Union
ID: 26175939
only reason is for sending events to syslog server for first line detection of unauthorized connection attempts.  if that can be done at the ACS, then that is what I will probably need to do.  

thanks for all the posts!

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MAC Filtering: MAC filtering is like handing a list of names to a doorman. If someone comes to the door and mentions a name, this name is checked by the doorman on his list and granted or denied access by this. This means that if someone menti…
For Sennheiser, comfort, quality and security are high priority areas. This paper addresses the security of Bluetooth technology and the supplementary security that Sennheiser’s Contact Center and Office (CC&O) headsets provide.  
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question