Wireless Security Configuration
Configuring MAC Address Authentication
Consider the following guidelines:
Use MAC address authentication for a small network with a limited
number of users. You can manually configure MAC addresses on the
access point itself without the need to set up a RADIUS server. The access
point supports up to 200 MAC addresses in its filtering table, but managing
a large number of MAC addresses across more than one access point
quickly becomes very cumbersome.
Use AP Authentication (802.1X) for networks with a larger number of
users and where security is the most important issue. A RADIUS server is
required in the wired network to control the user credentials (digital
certificates, smart cards, passwords, or other) of wireless stations. The
802.1X authentication approach provides a standards-based, flexible, and
scalable solution that can be centrally managed.
If you choose to configure RADIUS MAC authentication and 802.1X AP
Authentication together, the RADIUS MAC address authentication occurs
before 802.1X AP Authentication:
If RADIUS MAC authentication is successful, AP Authentication is
If RADIUS MAC authentication fails, AP Authentication is not performed.
MAC Lockout and Client/Station Deauthentication
When a MAC address is added to the MAC Lockout list, all sessions that match
the MAC address are immediately disconnected (deauthenticated and disas-
sociated) from all WLANs on all radios. The MAC address will be denied access
until it is removed from the MAC Lockout list by the administrator. The
maximum number of MAC addresses permitted on the MAC Lockout list is 300.
When a MAC address (client or station) is deauthenticated, using the
deauth-mac CLI command, all sessions that match the MAC address are
immediately disconnected from all WLANs on all radios. Unlike MAC Lockout,
however, the client/station can immediately re-authenticate. Client/station
deauthentication can only be performed using the CLI or via SNMP.