One more thing. It seems that if you check the option "Is MAC Authentication alone sufficient for a client to be fully authenticated?" to yes, and only use MAC auth, it won't work. All MAC addys will be auth'd, regardless of being on the filter list or not. This needs to be checked NO if you are using the static MAC auth from the AP.
I will keep these other interesting tidbits in the back of my mind, just in case one of my users has a really strange problem down the road. The APs are currently talking with non-cisco hardware (thankfully).
Finally, I did find this webpage with details (and a script) of updating the MAC filter lists via SNMP (and a little perl). Since I have 4 APs, this will make changes a little easier:
http://cornell.homedns.org:81/secondary/airOrange_2.htm
[EMAIL PROTECTED] writes:
Just another brief note - cisco hardware has a "communicate with other cisco
ONLY" mode - if your other devices are NOT cisco, they're not going to make it through. Make sure this is turned off unless your whole net is and will
always be cisco (talk about obscure security).
My philosophy is start of by turning off ALL security (wide open) - then get
the wireless working - then one at a time turn on as many security features as you feel comfortable with - check the link in between each change including
re-authenticating - then add more security. This way when something breaks,
you know exactly what is doing it. If you mix brands (cisco/linksys/etc) then
do the test with all brands represented. Re-authenticate each brand after turning on each security feature. There are incompatibilities out there.
Murphy's law states you'll find the most obscure one last.
I even had a perfectly working network DIE when a new cisco bridge was added
(ALL cisco h/w) - turned out it was the firmware revision. I first grabbed
another cisco box off the shelf which had old firmware and things worked again.
Revised the f/w in the "new" box and it worked too! Naturally this was not documented ANYWHERE.
Everett
Tony,
Did you remember to 'enable' the filter as well?
It is under [Advanced] in the AP Radio row of the Network Ports section at the bottom of the Setup
page.
http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag/air/ap3xx/SetAdvPC4800.shm.htm
Your problem sounds much like the filter is not being used, and all MACs are being allowed. Be
careful not to lock yourself out of the AP, eh?
I am sure you are also paying good cash for TAC support - usee them, they are good.
Cheers!
--- [EMAIL PROTECTED] wrote:
> > > This should be very easy, but it seems I'm having a hard time with it.
> > I'm try to get three 340s and one 350 to deny any MAC addy not in their list.
> They are using open authentication (no WEP), and the lists contain up to date
> MAC address of my users. The firmware is 12.03T on all units (just upgraded
> them yesterday). I've also disallowed the default unicast adress filter in the
> AP Radio/Advanced page (for Open/Shared/EAP).
> > My wireless MAC isn't added in, but can still associate with the APs, ping
> various place on my network and in the internet etc. In the AP's logs I see the
> following:
> > 2003/09/18 15:44:15 Info Station [10.40.8.143]00022d0e1fbd roamed
> 2003/09/18 15:43:52 Info Station [10.40.8.143]00022d0e1fbd Associated
> 2003/09/18 15:43:52 Info Station [10.40.8.143]00022d0e1fbd
> Authenticated
> 2003/09/18 15:42:34 Info Station [10.40.8.143]00022d0e1fbd roamed
> 2003/09/18 15:41:44 Info Station [10.40.8.143]00022d0e1fbd
> Reassociated
> 2003/09/18 15:41:44 Info Station [10.40.8.143]00022d0e1fbd
> Authenticated
> 2003/09/18 15:41:44 Info Deauthenticating
> [10.40.8.143]00022d0e1fbd, reason
> "Must Authenticate Before Associating"
> > I have to auth before I assoc, but I auth right through without a problem.
> > I've read the documentation from Cisco on this portion at least half a dozen
> times in the last two days. I'm sure we paid some nice cash for these things,
> but I'm starting to feel like we should have got a few Linksys or something. > What am I missing?
> --
> general wireless list, a bawug thing <http://www.bawug.org/>
> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
__________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com -- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
-- general wireless list, a bawug thing <http://www.bawug.org/> [un]subscribe: http://lists.bawug.org/mailman/listinfo/wireless
