Chapter 8 Security Setup

Setting Up MAC-Based Authentication

When you set Default Unicast Address Filter to disallowed, the radio discards all unicast traffic except packets sent to the MAC addresses listed as allowed on the authentication server or on the access point’s Address Filters page.

Note Client devices associated to the radio are not immediately affected when you set the Default Unicast Address Filter to disallowed.

Step 17 Click OK. You return automatically to the Setup page. Client devices that associate with the access point through this radio will not be allowed to authenticate unless their MAC addresses are included in the list of allowed addresses.

Authenticating Client Devices Using MAC Addresses or EAP

You can set up one or both access point radios to authenticate client devices using a combination of MAC-based and EAP authentication. When you enable this feature, client devices that associate to the access point using open authentication attempt both MAC and EAP authentication. If MAC authentication succeeds, the client device joins the network; if the client is also using EAP authentication, it attempts to authenticate using EAP. Even if MAC authentication fails, the access point allows the client device to attempt EAP authentication.

Follow these steps to combine MAC-based and EAP authentication for client devices using IEEE 802.11 open authentication:

Step 1 Follow the steps in the “Setting Up EAP Authentication” section on page 8-15to set up EAP. You must select Require EAP under Open authentication on the radio’s AP Radio Data Encryption page to force client devices to perform EAP authentication if they fail MAC authentication. If you do not select Require EAP, client devices that fail MAC authentication might be able to join the network without performing EAP authentication.

Step 2 Follow the steps in the “Setting Up MAC-Based Authentication” section on page 8-21to set up MAC-based authentication.

Step 3 Follow this link path to reach the Address Filters page:

a.On the Summary Status page, click Setup.

b.On the Setup page, click Address Filters under Associations.

Step 4 Select yes for the option called Is MAC Authentication alone sufficient for a client to be fully authenticated?

Step 5 Click Apply. When you enable this feature, the access point follows these steps to authenticate all clients that associate using open authentication:

a.When a client device sends an authentication request to the access point, the access point sends a MAC authentication request in the RADIUS Access Request Packet to the RADIUS server using the client’s user ID and password as the MAC address of the client.

b.If the authentication succeeds, the client joins the network. If the client is also using EAP authentication, it attempts to authenticate using EAP.

c.If the client fails MAC authentication, it still attempts to authenticate using EAP authentication. The client cannot join the network until EAP authentication succeeds.

Cisco Aironet 1200 Series Access Point Software Configuration Guide

 

OL-2159-05

8-25

 

 

 

Page 187
Image 187
Cisco Systems DL-2159-05 manual Authenticating Client Devices Using MAC Addresses or EAP