16-9
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter16 Configuring Filters
Configuring Filters Using the Web-Browser Interface
Determining the source of MAC Authentication
To define the source of MAC address verification for SSID MAC authentication, go to
Security > Advanced Security > MAC Address Authentication.
In the MAC Address Authentication tab:
To exclusively use the list of MAC addresses defined in the local page to authenticate client MAC
addresses on target SSIDs, click the Local List Only option.
To use the local MAC address list as the primary MAC address authentication method for SSID
MAC-address authentication, when a list created on an external RADIUS server for MAC addresses
not found in the local list, click the Authentication Server if not found in the local list option.
To use primarily an external RADIUS server (or the access point internal RADIUS server), and to
revert back to a local list on the same page only if the external server is not responding, click the
Local list if no response from Authentication server option.
To only use an external RADIUS server or the AP internal RADIUS server, and to never use the
MAC addresses defined on the local page, click the Authentication Server Only option.
Click Apply to validate your choice.
Using the CLI, you can determine the source of MAC address verification using the global command
aaa authentication login mac_methods.
The following example configures the AP to use the local list, and only revert to a group of RADIUS
servers called rad_mac if the MAC address is not found in the local list:
ap(config)# aaa authentication login mac_methods local group rad_mac
For more details on how to create groups of RADIUS servers, see Chapter11, “Configuring
Authentication Types.”

Using a local MAC address list

If you want to use a list of MAC addresses defined on the MAC Address authentication page for SSID
MAC address authentication, enter at the bottom of the page the MAC addresses (one at a time) that are
authorized for authentication on the target SSIDs.
Note The list is global. A MAC address defined in the list will be authorized to join any SSID where MAC
address authentication is enabled. If you want to use different lists of MAC addresses for different SSIDs
on the AP, you must use an external RADIUS server.
From the CLI, a MAC address used for MAC address authentication is entered as a user, with the
mac-address as the password. The user is then assigned an exit autocommand to prevent the user from
accessing the AP interface. The following example creates the MAC address 1111.2222.3333 in the
global list:
ap(config)# username 111122223333 password 0 111122223333
ap(config)# username 111122223333 autocommand exit
ap(config)# end