Cisco WLAN Question

Unanswered Question
Apr 27th, 2012

We have a Cisco 4400 series WLAN controller.

When I go to the clients and view who is connected; I can also filter it.

However it only lets me filter by mac address, ap, wlan profile, etc.

It does not have IP filtering.  Is there a way to filter using IP?  Basically I want to find a particular client with a certain IP that's connected to our WLAN.

Also how do we block the client?  If we deemed that person should not get access. 

Thank you.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
grabonlee Fri, 04/27/2012 - 10:11

It is not feasible to police IP address as the IPs will be assigned dynamically and keeping changing depending on lease time. You could create a separate SSID and tie it down by mac filter for important devices. A second SSID could be created and you apply an ACL to the WLAN restricting the assigned IP range to wherever destination you choose.

George Stefanick Fri, 04/27/2012 - 12:08


If you want adavnce flierting of your WLC you need WCS or NCS. This will allow you to shape your seaching efforts quick and easliy.

As for blocking a client. Pretty easy to do... You can do this in the CLI or GUI. I documeted this on my blog

grabonlee Fri, 04/27/2012 - 12:59


You are right but Zhi asked about blocking based on IP and there is no way to block a particular IP address because the client can always re-authenticate and get a new IP address. Your suggestion is based on Mac address after the client has authenticated. NCS helps as it includes a broader criteria to block a client for example using posture validation however that doesn't solve the IP issue. Unless his devices have static IPs, then he could block dhcp assignment.

George Stefanick Fri, 04/27/2012 - 13:14


He wasnt clear if he wanted to block by IP. He asked how could he block a user. This can be handled if the user is tied to a device, then you can disable his mac on the WLC regardless of IP address.

Also there is no mention to what type of security is being used. This would play a role as to other options as well.

You could remove the user from the AD wireless group , if he is using EAP for example.

His question, leaves other open questions.

Stephen Rodriguez Fri, 04/27/2012 - 13:15

What I would do is check the ARP table on the switch, take the Mac address from there and deny them access.


Sent from Cisco Technical Support iPhone App Mon, 04/30/2012 - 07:35

Hi sorry for the late reply. There was probably a misunderstanding. I wanted to know when you go to monitor > Clients. It shows you all the clients connected. I wanted to know if it's possible to filter by ip. As it gives me only Mac filtering. Sorry if I was not being clear.

Thank you.

Sent from Cisco Technical Support iPhone App


Login or Register to take actions

This Discussion

Posted April 27, 2012 at 9:44 AM
Replies:6 Overall Rating:
Views:429 Votes:0
Tags: wlan

Related Content


Discussions Leaderboard

Rank Username Points
Scott Fella
Stephen Rodriguez
George Stefanick
Leo Laohoo
Manannalage ras...
Rank Username Points
George Stefanick
Manannalage ras...
Scott Fella
Freerk Terpstra

Trending Topics - Security & Network