Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14709
Views
0
Helpful
5
Replies

block a single client MAC address for one SSID on WLC

m.sir
Level 7
Level 7

‎03-20-2012 01:20 AM - edited ‎07-03-2021 09:49 PM

Hello

We have multiple SSIDs and i need block one particular mac address from all SSIDs except one SSID (where this MAC can connect)

It looks SECURITY > AAA > Disabled Client feature is globaly for all SSIDs

and as MAC filtering doesnt support wildcards its also not option.. .any other idea how to achieve this??

thanks

Labels:
0 Helpful
5 Replies 5

George Stefanick
VIP Alumni
VIP Alumni

‎03-20-2012 01:31 AM

You would need to invlove a radius solution like ACS to do a mac filter by SSID and radius..

http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html

3.5  RADIUS-Based VLAN Access Control

As discussed earlier, each  SSID is mapped to a default VLAN-ID on the wired side. The IT  administrator may wish to impose back end (such as RADIUS)-based VLAN  access control using 802.1X or MAC address authentication mechanisms.  For example, if the WLAN is set up such that all VLANs use 802.1X and  similar encryption mechanisms for WLAN user access, then a user can  "hop" from one VLAN to another by simply changing the SSID and  successfully authenticating to the access point (using 802.1X). This may  not be preferred if the WLAN user is confined to a particular VLAN.

There are two different ways to implement RADIUS-based VLAN access control features:

1. RADIUS-based SSID access control: Upon  successful 802.1X or MAC address authentication, the RADIUS server  passes back the allowed SSID list for the WLAN user to the access point  or bridge. If the user used an SSID on the allowed SSID list, then the  user is allowed to associate to the WLAN. Otherwise, the user is  disassociated from the access point or bridge.

2. RADIUS-based VLAN assignment: Upon successful  802.1X or MAC address authentication, the RADIUS server assigns the user  to a predetermined VLAN-ID on the wired side. The SSID used for WLAN  access doesn't matter because the user is always assigned to this  predetermined VLAN-ID.

Figure 6 illustrates both RADIUS-based VLAN access control methods: VLAN assignment and SSID access control.

VLAN assignment: Both  "Engineering" and "Marketing" VLANs are configured to only allow 802.1X  authentication (LEAP, EAP-TLS, PEAP, and so on). As shown in Figure 6,  when John uses the "Engineering" SSID to gain access to the wireless  LAN, the RADIUS server maps John to VLAN-ID 24. This may or may not be  the default VLAN-ID mapping for the "Engineering" SSID. Using this  method, a user is mapped to a fixed wired VLAN throughout an enterprise  network.

RADIUS-based SSID access  control: David uses the "Marketing" SSID to gain access to the wireless  LAN. However, the permitted SSID list sent back by the RADIUS server  indicates that David is only allowed access to the "Engineering" SSID.  Upon receipt of this information, the access point disassociates David  from the wireless LAN network. Using this method, a user is given access  to only one SSID or to predetermined SSIDs throughout an enterprise  network.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni

‎03-21-2012 03:48 AM

As George said, it is easier to do what you want with a radius server.

However, there are some other options that you can take in consideration (if youa re not using a radius server for your SSIDs). Those suggesion may or may not be applicable to your situation but I am only suggesting some solutions.

1-) create mac filters for all your clients that use wireless. From MAC filter you can decide which client can connect to which SSID (or all SSID's if you'd like). you only allow the guy you want to connect to only one SSID to only that SSID and allow others to connect to all SSIDs. This is not feasible if you have large number of users or if you have mobile users that come and go because this needs you to add all mac addresses to filter on all your wireless devices (WLCs or standalone APs).

2-) create one more SSID for your guy and provide the credentials for this SSID to this only guy so you know he is only allowed to this SSID.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

thomas03usmcsf
Level 1
Level 1

‎03-21-2012 09:23 PM

You could also block the mac on the switch that contains the interface VLAN for each SSID. If your using Cisco switches use this command.

Mac address-table drop

Don't block the Mac on the vlan of the SSID that you want to allow the client to connect to.

Sent from Cisco Technical Support iPhone App

0 Helpful

thomas03usmcsf
Level 1
Level 1

‎03-21-2012 09:25 PM

Here is the command, it didn't show up on my other post

Mac address-table xxxx.xxxx.xxxx static

vlan ### drop

Sent from Cisco Technical Support iPhone App

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to thomas03usmcsf

‎03-22-2012 03:52 AM

Tom;

Thanks for your hint.

But this is not going to block the communicatoin between clients on same AP because AP is not going to forward this traffic to the swtich!
This is not also going to work if you have (for whatever reason) multiple SSIDs on same VLAN.

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card