Priority order of MAC Filtering on the WLC
We know that there are two types of MAC Filtering for WLC.
- Local MAC authentication
- MAC authentication using a RADIUS server
When we are designing a network environment, we may be in a situation where two types coexist. At this point we need to know which type the WLC will choose. We can see the following text in the “Cisco Wireless Controller Configuration Guide”.
For ISE NAC WLANs, the MAC authentication request is always sent to the external RADIUS server. The MAC authentication is not validated against the local database. This functionality is applicable to Releases 8.5, 8.7, 8.8, and later releases via the fix for CSCvh85830.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/wlan_security.html#ID647
Previously, if MAC filtering was configured, the controller tried to authenticate the wireless clients using the local MAC filter. RADIUS servers were attempted only if the wireless clients were not found in the local MAC filter.
To sum up., WLC will prefer the external Radius server first in versions above 8.5, while the previous version will prefer the local database first.
References:
Cisco Wireless Controller Configuration Guide, Release 8.5
MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
Recent Comments