cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6096
Views
0
Helpful
19
Replies

Deny handhelds by MAC address??

hvellekoop
Level 1
Level 1

Hi,

We have a couple of WLAN's here at our school.

One for handhelds only (hidden SSID PDA) with WPA2, another for all guests with Web authentication.(SSID Hotspot)

Now some of the handhelds are connecting by themselves to the Hotspot wireless network, but their apps won't work correct through the hotspot network.

We want to block the handhelds on the Hotspot WLAN i.e by MAC address.

How can we do that ??

Can't seem to find it in the manual..

Thanks

Hans

1 Accepted Solution

Accepted Solutions

Nuts!  I didn't see that you are using LWAP.  My deepest apologies for wasting your time. 

MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

View solution in original post

19 Replies 19

sciencecare
Level 1
Level 1

Not sure which AP you are running but I accomplish this by creating a filter for each SSID one that forwards packets for the MAC address of allowed devices on the internal network and one that blocks packets on the free wi-fi.  I then apply that at the radio level so they can 'connect' to the other but it will not allow an IP to be pulled, so even if they try to switch to by pass our webfilter they cannot, yet visiting clients (we run events with lots of visitors) can connect to the wifi and surf freely.  Works good but I cannot give more specific direction since you didn't mention which device your using.

Hi,

The device we use is the Cisco Aironet AIR-AP1242AG-E-K9  

AP's are configured through the Wireless Lan Controller.

Maybe this helps to be more specific?

Thanks for your assistence, much appreciated :-)

Leo Laohoo
Hall of Fame
Hall of Fame

some of the handhelds are connecting by themselves to the Hotspot wireless network

Hi Hans,

What SSIDs are the PDAs configured to associate?  Maybe the PDAs have both SSID configured and "Hotspot" SSID is set to connect automatically?

Please don't forget useful posts.  Thanks.

The Hotspot WLAN is discovered automatically, and sometimes the PDA connects to it.

Maybe cause the PDA WLAN is a hidden SSID ?

So why not put a password at the "Hotspot" SSID?  Even a simple one.  I've never heard of an application to automatically connect to an SSID without asking.

The Hotspot WLAN is secured with a web password, connecting is possible without password, but when you want to access the Internet, a username/password is required.

HTML into the AP.

Go to Services -> Filters -> MAC Address Filters tab.

Please don't forget to rate useful posts.  Thanks.

Yes, I've seen that Tab, but little explanation with it.. that's why I'm here..

I know form other AP I can filter on MAC, but that is to allow the specified MAC's to use the AP.

What I want is create a filter on the Hotspot SSID and deny all handhelds to connect to it.

Would that be possible with this filter?

(BTW, super .. your fast replies!! )

I hope you know how to use CLI ...

Access Point ACL Filter Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml

CLI is not the problem.

I guess you refer to this in the html file:

Create a MAC address ACL 700.

This ACL does not allow the client 0040.96a5.b5d4 to associate with             the AP.

access-list 700 deny 0040.96a5.b5d4 0000.0000.0000

But how to set the deny only on the SSID Hotspot WLAN?

How many radios does your AP have?  If 2 then configure Hotspot SSID to one radio and Handheld SSID to another radio.

Is this viable for you?

Not sure what radios is..

We have four SSID's on the WLC

Is that what radios is ?

Can you tell me what is the exact model number of your AP?  In CLI, can you post the output of the command "sh ip interface brief"?

Hi Leolaohoo,

Device is Cisco Aironet AIR-AP1242AG-E-K9

CLI output from the two concerning interfaces :

Interface Name................................... PDA
MAC Address...................................... 00:1a:6d:dd:85:
IP Address....................................... 172.22.1.2
IP Netmask....................................... 255.255.0.0
IP Gateway....................................... 172.22.1.1
VLAN............................................. 11
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.21.1.11
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No

Hotspot:
Interface Name................................... hotspot
MAC Address...................................... 00:1a:6d:dd:85:c7
IP Address....................................... 10.14.2.2
IP Netmask....................................... 255.255.254.0
IP Gateway....................................... 10.14.2.1
VLAN............................................. 14
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.31.1.108
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: