[How To] Catalyst 9800 WLC - Configure MAC Address Filtering

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
In today's video we're gonna take a look at  configuring MAC address based filtering on   the Catalyst 9800 series wireless controller. So  this is a brand new controller that I have just   installed and got running up in my lab. I also  have one access point that's joined to it right   now. We're gonna walk through an initial wireless  LAN setup as we have none configured today - and   then we'll go through what it takes to configure  MAC address based filtering on that wireless LAN   to restrict devices based on their MAC address.  So first we're going to go over to configuration,   and then drop down to the wireless setup. Sow  you see two options here, one is basic and one   is advanced. A couple of months ago I wrote up  a blog post that went through how to do this   using the basic wireless setup - so for a little  bit of a change, I'll do the advanced setup this   time. So the 9800 controller gives us a quick flow  diagram that tries to explain to us a little bit   of what we need to do. Essentially in order to  configure the wireless LAN, we'll have a couple   of things including the policies and profiles  - and then once we've finished those we'll add   those to what's called a policy tag. Then we'll  do a couple of configuration settings for the   site and the radio. Once we're done with all of  that we can add those tags to the access points   themselves to deploy the policy. So let's go ahead  and click start now. Alright, now we see our tags   and profiles that have just popped up on the right  side of the screen. First we're gonna start with   the wireless LAN profile. We'll go ahead and  add a new profile - and we need to configure a   couple of things here... First is going to be the  profile name, in this case we'll name WLAN_IoT. It will auto-populate the SSID  based on our profile name,   but we can change that to anything we we like.  In my case I'll just set this to test222 for   this purpose. The wireless LAN ID is just an  internal identifier for the LAN ID itself,   and we can leave that as one. We do also want to  make sure that we change the status to enabled. Next we want to look at the Security tab.  And it's already set up for WPA plus WPA2,   but we'll still have a couple of settings we  need to change here. Go ahead and scroll down,   and we'll see that it is already configured  to use AES for WPA2 encryption. However,   it's pre-configured to use dot1x. In my lab I'm  not running ISE or any other radius servers,   so we'll go ahead and unselect dot1x and select  PSK. Go ahead and type in the pre-shared key.   And hit apply a device. All right, now that we  have our Wireless LAN configured - we need to next   go to the policy profile. In here we'll go ahead  and click Add. And we'll name this our policy_IOT. We want to make sure that this is also enabled.  And because I'll be setting up this wireless LAN   and access point for flex connect, will disable  everything except central authentication. Next we want to go over to access policies.   And this particular network is  going to be running on VLAN 800. Add that in, and then go ahead and click apply  to device. Lastly for the wireless LAN setup,   we need to take a look at the policy tags. This is  essentially going to be a mapping of our wireless   profile to our policy profile. We can just use  the default policy tagging for this. Open it up,   go ahead and click Add. We will then select our  wireless LAN profile and our policy profile.   Don't forget to click the checkbox to actually add  this mapping to the policy, then update and apply   to device. Next we have a couple of settings  for the AP and site. We don't need to make any   changes immediately to the AP join profile, but  we will need to make changes to the Flex profile   since this is a flex connect access point. We'll  go ahead and click Add. And I'll name my policy   Flex_IOT. Our native VLAN is 1, which is good. We  have no changes there, but we will have to make a   change to the additional VLANs that the access  point is going to be servicing. So we'll click   on the VLAN tab, click Add, add our VLAN name  and ID. And hit save, and then apply to device. Next we'll go to the site tagging and make sure  that our flex profile is attached to this site.   We can use the default site tag again here.  We will need to uncheck "enable local site"   in order to access the Flex profile settings.  And add our profile name here. Next we can hit   update and apply to device. We won't need to make  any changes to the RF profile and RF tagging,   however, in order to apply our changes we  will need to tag our new policies to the   AP itself. So we'll go ahead and click on  tag APs. And we can see that we have one AP   already up and running. And we'll select that,  click tag - set our policy tag, our site tag,   and our RF tag. And it will warn us that once we  hit apply, this will cause the AP to disconnect,   apply the policies, and reconnect to the  controller. So next we'll go ahead and click   apply to device. So while the AP is rebooting and  applying its policies, we can start taking a look   at the security settings that will be required  to implement the MAC address based filtering. So   we'll go over to configuration, and then security,  AAA. First we'll go over to the AAA method list,   and drop down to authorization. And we will  create a new authorization type here. I   will name mine auth_IOT, the type will be  network, and the group type will be local. Once we have that configured, we can go over to  AAA advanced. And we'll create an attribute list,   hit add, and we'll type our list name. Next we'll  click Add, and set our attribute type to SSID,   and our attribute value to the wireless LAN we  just configured. Go ahead and hit apply to device.   The last thing we need to do here is configure  the MAC addresses that will be allowed to join   our wireless network. So we'll click on device  authentication, MAC addresses, and click Add. So I'll be using just one of my smartphones to  test this. So I've added that MAC address in   here. Next we'll go down to the attribute list  name, and select our attribute list that we   configured before. And hit apply to device. This  will allow this particular device to access the   wireless LAN that we configured, while denying all  other devices. However, we still have not applied   this specific MAC address list to the wireless  LAN. So let's go ahead and do that now. We'll   go over to configuration, and then under tags  and profiles, we'll go over to wireless LANs.   We'll select the LAN that we configured earlier.  And go over to the security tab, and right under   layer two security mode we'll see an option for  MAC filtering - which will select. And then select   our authorization list that we configured. Go  ahead and click update and apply to device.   Alright, next we're gonna switch over to a view  of the device that I'm using to test this. And   we'll go ahead and drop into the Wi-Fi settings  - and we see pretty quickly that our new SSID is   up and running. So go ahead and click on that  and to join it, and hit connect. Now at first   glance it looks like our wireless network is  not connecting - and there's a reason for that.   A lot of modern operating systems, including  cell phones and latest versions of Windows,   actually use a randomized private MAC address  for wireless connectivity to preserve privacy.   So first we'll go ahead and click modify,  drop down to expand Advanced Options,   and at the bottom where it says "Use Randomized  MAC" - we'll hit "Use Device MAC", save, and our   wireless connection should connect now. And now  it looks like our wireless profile did connect.   Now if we go back to the dashboard of our wireless  controller, we'll see now that we have one active   client. And we have our connection. Okay that's  all for this video - thank you for watching
Info
Channel: 0x2142 - Networking Nonsense
Views: 3,409
Rating: undefined out of 5
Keywords: 9800, access point, bssid, cat9800, catalyst, catalyst 9800, cisco, cisco systems, ewlc, flex connect, flexconnect, iot, ise, MAC address, mac filtering, network segmentation, segmentation, ssid, vwlc, wireless, wireless controller, wlc, 9120, 9130, 9115, catalyst 9100, wifi 6, 802.11ax, wifi 6e
Id: rWupjgsF0HM
Channel Id: undefined
Length: 8min 55sec (535 seconds)
Published: Tue May 19 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.