16-8
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter16 Configuring Filters
Configuring Filters Using the Web-Browser Interface
Step1 Creating a MAC address access-list using the command access-list number-700-799.
Step2 Use the global configuration command dott11 association mac-list list-number to apply the use the
MAC address access list as a filter for all wireless client associations, on all radios.
Clients not listed in the MAC address access-list will not be allowed to associate to any of the AP SSIDs,
on any of the AP radios.
The following example uses MAC address access-list 702 as a global MAC address association filter:
ap(config)# dot11 association mac-list 702
ap(config)# end
Configuring MAC Address Authentication
A MAC address filter applied to an interface filters the MAC addresses which are sending traffic through
that interface, regardless of the SSID in use. A MAC address filter applied at global association level
filters those MAC addresses that are allowed to associate to one of the access point SSIDs, regardless of
the SSID in use or regardless of the VLAN or interface associated to the SSID.
You can also use MAC addresses to filter the MAC addresses that are allowed to associate to a target
SSID. This process is called MAC address authentication. The following table compares the three MAC
address filtering methods available on Cisco IOS access points:
You can check MAC addresses used for authentication on the access point local list, or on an
authentication server. The authentication server can be an external RADIUS server or the AP internal
RADIUS server.
To configure your AP to use MAC address authentication on the SSID, you need to go through the
following steps:
Step1 Determine the source of MAC address authentication (local list, local AP RADIUS server, external
RADIUS server)
If you use the AP local list of local RADIUS server, create the MAC addresses on the AP (in the AP local
list of the RADIUS server, respectively)
Step2 Configure the SSID to use the method you defined.
Method Target Notes
Interface MAC
address filter
Specific interface
or VLAN
Applies to all SSIDs mapped to the target interface or
VLAN
Association MAC
address
AP, globally Applies to all SSIDs and all VLANs, for all wireless
clients associating to the AP
SSID MAC address
authentication
Specific SSID Applies to a specific SSID, regardless of the radio,
interface or VLAN to which the SSID is mapped