user manual
8-25
Cisco Aironet 1200 Series Access Point Software Configuration Guide
OL-2159-05
Chapter 8 Security Setup
Setting Up MAC-Based Authentication
When you set Default Unicast Address Filter to disallowed, the radio discards all unicast traffic except
packets sent to the MAC addresses listed as allowed on the authentication server or on the access point’s
Address Filters page.
Note Client devices associated to the radio are not immediately affected when you set the Default
Unicast Address Filter to disallowed.
Step 17 Click OK. You return automatically to the Setup page. Client devices that associate with the access point
through this radio will not be allowed to authenticate unless their MAC addresses are included in the list
of allowed addresses.
Authenticating Client Devices Using MAC Addresses or EAP
You can set up one or both access point radios to authenticate client devices using a combination of
MAC-based and EAP authentication. When you enable this feature, client devices that associate to the
access point using open authentication attempt both MAC and EAP authentication. If MAC
authentication succeeds, the client device joins the network; if the client is also using EAP
authentication, it attempts to authenticate using EAP. Even if MAC authentication fails, the access point
allows the client device to attempt EAP authentication.
Follow these steps to combine MAC-based and EAP authentication for client devices using IEEE 802.11
open authentication:
Step 1 Follow the steps in the “Setting Up EAP Authentication” section on page 8-15 to set up EAP. You must
select Require EAP under Open authentication on the radio’s AP Radio Data Encryption page to force
client devices to perform EAP authentication if they fail MAC authentication. If you do not select
Require EAP, client devices that fail MAC authentication might be able to join the network without
performing EAP authentication.
Step 2 Follow the steps in the “Setting Up MAC-Based Authentication” section on page 8-21 to set up
MAC-based authentication.
Step 3 Follow this link path to reach the Address Filters page:
a. On the Summary Status page, click Setup.
b. On the Setup page, click Address Filters under Associations.
Step 4 Select yes for the option called Is MAC Authentication alone sufficient for a client to be fully
authenticated?
Step 5 Click Apply. When you enable this feature, the access point follows these steps to authenticate all clients
that associate using open authentication:
a. When a client device sends an authentication request to the access point, the access point sends a
MAC authentication request in the RADIUS Access Request Packet to the RADIUS server using the
client’s user ID and password as the MAC address of the client.
b. If the authentication succeeds, the client joins the network. If the client is also using EAP
authentication, it attempts to authenticate using EAP.
c. If the client fails MAC authentication, it still attempts to authenticate using EAP authentication. The
client cannot join the network until EAP authentication succeeds.