In today's video we're gonna take a look at
configuring MAC address based filtering on the Catalyst 9800 series wireless controller. So
this is a brand new controller that I have just installed and got running up in my lab. I also
have one access point that's joined to it right now. We're gonna walk through an initial wireless
LAN setup as we have none configured today - and then we'll go through what it takes to configure
MAC address based filtering on that wireless LAN to restrict devices based on their MAC address.
So first we're going to go over to configuration, and then drop down to the wireless setup. Sow
you see two options here, one is basic and one is advanced. A couple of months ago I wrote up
a blog post that went through how to do this using the basic wireless setup - so for a little
bit of a change, I'll do the advanced setup this time. So the 9800 controller gives us a quick flow
diagram that tries to explain to us a little bit of what we need to do. Essentially in order to
configure the wireless LAN, we'll have a couple of things including the policies and profiles
- and then once we've finished those we'll add those to what's called a policy tag. Then we'll
do a couple of configuration settings for the site and the radio. Once we're done with all of
that we can add those tags to the access points themselves to deploy the policy. So let's go ahead
and click start now. Alright, now we see our tags and profiles that have just popped up on the right
side of the screen. First we're gonna start with the wireless LAN profile. We'll go ahead and
add a new profile - and we need to configure a couple of things here... First is going to be the
profile name, in this case we'll name WLAN_IoT. It will auto-populate the SSID
based on our profile name, but we can change that to anything we we like.
In my case I'll just set this to test222 for this purpose. The wireless LAN ID is just an
internal identifier for the LAN ID itself, and we can leave that as one. We do also want to
make sure that we change the status to enabled. Next we want to look at the Security tab.
And it's already set up for WPA plus WPA2, but we'll still have a couple of settings we
need to change here. Go ahead and scroll down, and we'll see that it is already configured
to use AES for WPA2 encryption. However, it's pre-configured to use dot1x. In my lab I'm
not running ISE or any other radius servers, so we'll go ahead and unselect dot1x and select
PSK. Go ahead and type in the pre-shared key. And hit apply a device. All right, now that we
have our Wireless LAN configured - we need to next go to the policy profile. In here we'll go ahead
and click Add. And we'll name this our policy_IOT. We want to make sure that this is also enabled.
And because I'll be setting up this wireless LAN and access point for flex connect, will disable
everything except central authentication. Next we want to go over to access policies. And this particular network is
going to be running on VLAN 800. Add that in, and then go ahead and click apply
to device. Lastly for the wireless LAN setup, we need to take a look at the policy tags. This is
essentially going to be a mapping of our wireless profile to our policy profile. We can just use
the default policy tagging for this. Open it up, go ahead and click Add. We will then select our
wireless LAN profile and our policy profile. Don't forget to click the checkbox to actually add
this mapping to the policy, then update and apply to device. Next we have a couple of settings
for the AP and site. We don't need to make any changes immediately to the AP join profile, but
we will need to make changes to the Flex profile since this is a flex connect access point. We'll
go ahead and click Add. And I'll name my policy Flex_IOT. Our native VLAN is 1, which is good. We
have no changes there, but we will have to make a change to the additional VLANs that the access
point is going to be servicing. So we'll click on the VLAN tab, click Add, add our VLAN name
and ID. And hit save, and then apply to device. Next we'll go to the site tagging and make sure
that our flex profile is attached to this site. We can use the default site tag again here.
We will need to uncheck "enable local site" in order to access the Flex profile settings.
And add our profile name here. Next we can hit update and apply to device. We won't need to make
any changes to the RF profile and RF tagging, however, in order to apply our changes we
will need to tag our new policies to the AP itself. So we'll go ahead and click on
tag APs. And we can see that we have one AP already up and running. And we'll select that,
click tag - set our policy tag, our site tag, and our RF tag. And it will warn us that once we
hit apply, this will cause the AP to disconnect, apply the policies, and reconnect to the
controller. So next we'll go ahead and click apply to device. So while the AP is rebooting and
applying its policies, we can start taking a look at the security settings that will be required
to implement the MAC address based filtering. So we'll go over to configuration, and then security,
AAA. First we'll go over to the AAA method list, and drop down to authorization. And we will
create a new authorization type here. I will name mine auth_IOT, the type will be
network, and the group type will be local. Once we have that configured, we can go over to
AAA advanced. And we'll create an attribute list, hit add, and we'll type our list name. Next we'll
click Add, and set our attribute type to SSID, and our attribute value to the wireless LAN we
just configured. Go ahead and hit apply to device. The last thing we need to do here is configure
the MAC addresses that will be allowed to join our wireless network. So we'll click on device
authentication, MAC addresses, and click Add. So I'll be using just one of my smartphones to
test this. So I've added that MAC address in here. Next we'll go down to the attribute list
name, and select our attribute list that we configured before. And hit apply to device. This
will allow this particular device to access the wireless LAN that we configured, while denying all
other devices. However, we still have not applied this specific MAC address list to the wireless
LAN. So let's go ahead and do that now. We'll go over to configuration, and then under tags
and profiles, we'll go over to wireless LANs. We'll select the LAN that we configured earlier.
And go over to the security tab, and right under layer two security mode we'll see an option for
MAC filtering - which will select. And then select our authorization list that we configured. Go
ahead and click update and apply to device. Alright, next we're gonna switch over to a view
of the device that I'm using to test this. And we'll go ahead and drop into the Wi-Fi settings
- and we see pretty quickly that our new SSID is up and running. So go ahead and click on that
and to join it, and hit connect. Now at first glance it looks like our wireless network is
not connecting - and there's a reason for that. A lot of modern operating systems, including
cell phones and latest versions of Windows, actually use a randomized private MAC address
for wireless connectivity to preserve privacy. So first we'll go ahead and click modify,
drop down to expand Advanced Options, and at the bottom where it says "Use Randomized
MAC" - we'll hit "Use Device MAC", save, and our wireless connection should connect now. And now
it looks like our wireless profile did connect. Now if we go back to the dashboard of our wireless
controller, we'll see now that we have one active client. And we have our connection. Okay that's
all for this video - thank you for watching
