16-10
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter16 Configuring Filters
Configuring Filters Using the Web-Browser Interface
Using the AP internal RADIUS server for MAC address authentication
If you want to use a list of MAC addresses defined in the AP internal RADIUS server page, go to
Security > Local RADIUS Server > General Setup.
In the General Setup page, enable the server for MAC authentication by checking the MAC check box
in the Enable Authentication Protocols section. Then, click Apply to validate.
When using the AP internal RADIUS server, you need to define the AP as a RADIUS client. For this:
Step1 In the Network Access Server (AAA Clients) section, enter the AP’s IP address in the Network Access
Server field.
Step2 Enter a Shared Secret, which is a password used to authenticate the queries sourced from the AP IP
address. You will need to define the same shared secret when configuring the AP as a RADIUS server
in the Server Manager page.
Step3 Click Apply to validate.
For more details on how to configure the AP local RADIUS server, including CLI commands, see
Chapter 11, “Configuring Authentication Types.”.
To create individual MAC addresses to be used for MAC authentication on target SSIDs, in the
Individual Users section:
Step1 Enter the target MAC address, without any separator in both the Username and Password fields.
Step2 Check the MAC authentication only.
Step3 Click Apply to validate.
Note The MAC addresses defined in the AP internal RADIUS server are global.
If you configure the AP to use an authentication server for MAC address verification, all SSIDs
configured to use MAC authentication and the local AP RADIUS server will check the local list.
A major difference between using the AP global MAC address list and using the AP internal
Authentication server as a source for SSID MAC authentication is that the global list applies to all SSIDs
configured to use MAC address authentication. When choosing to use an authentication server for MAC
authentication, some SSIDs can use the AP internal server list, while other SSIDs can use an external
RADIUS server list.
From the CLI, you can add MAC address users by entering the local RADIUS server configuration
submode, and then creating users. The username and password are the MAC address, without the
separator. Add the keyword mac-only to specify that the user is used for MAC authentication.
The following example creates the MAC address user 333344445555:
ap(config)# radius-server local
ap(config-radsrv)# user 333344445555 password 0 333344445555 mac-auth-only
ap(config-radsrv)# end
When using the AP internal RADIUS server, you need to define the AP as a RADIUS server in the
Security > Server Manager page.