Cisco WLAN Question

zyang · ‎04-27-2012

We have a Cisco 4400 series WLAN controller.

When I go to the clients and view who is connected; I can also filter it.

However it only lets me filter by mac address, ap, wlan profile, etc.

It does not have IP filtering. Is there a way to filter using IP? Basically I want to find a particular client with a certain IP that's connected to our WLAN.

Also how do we block the client? If we deemed that person should not get access.

Thank you.

grabonlee · ‎04-27-2012

It is not feasible to police IP address as the IPs will be assigned dynamically and keeping changing depending on lease time. You could create a separate SSID and tie it down by mac filter for important devices. A second SSID could be created and you apply an ACL to the WLAN restricting the assigned IP range to wherever destination you choose.

George Stefanick · ‎04-27-2012

Zhi,

If you want adavnce flierting of your WLC you need WCS or NCS. This will allow you to shape your seaching efforts quick and easliy.

As for blocking a client. Pretty easy to do... You can do this in the CLI or GUI. I documeted this on my blog

http://www.my80211.com/cisco-wlc-cli-commands/2010/1/2/wlc-disable-wireless-client-client-exclusion.html

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

grabonlee · ‎04-27-2012

George,

You are right but Zhi asked about blocking based on IP and there is no way to block a particular IP address because the client can always re-authenticate and get a new IP address. Your suggestion is based on Mac address after the client has authenticated. NCS helps as it includes a broader criteria to block a client for example using posture validation however that doesn't solve the IP issue. Unless his devices have static IPs, then he could block dhcp assignment.

George Stefanick · ‎04-27-2012

Osita,

He wasnt clear if he wanted to block by IP. He asked how could he block a user. This can be handled if the user is tied to a device, then you can disable his mac on the WLC regardless of IP address.

Also there is no mention to what type of security is being used. This would play a role as to other options as well.

You could remove the user from the AD wireless group , if he is using EAP for example.

His question, leaves other open questions.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Stephen Rodriguez · ‎04-27-2012

What I would do is check the ARP table on the switch, take the Mac address from there and deny them access.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

zyang · ‎04-30-2012

Hi sorry for the late reply. There was probably a misunderstanding. I wanted to know when you go to monitor > Clients. It shows you all the clients connected. I wanted to know if it's possible to filter by ip. As it gives me only Mac filtering. Sorry if I was not being clear.

Thank you.

Sent from Cisco Technical Support iPhone App