The link you are following is not going to do what you are looking to do. That link is for creating an association list that only ALLOWS the MACs that you enter, hence the default deny all statement.

This Cisco doc shows in a little more detail how to do the block:

http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37filt.html#wp1039154

You should be able to reverse the page and change the default action to forward and select block as the MAC action.

Using the below link may be helpfull..

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml#macbasedacls

Here is the deal.. By default u hv the implicit deny on the CISCO IOS (not visible in run config--- enabled by default).. if u explicitly put DENY ANY ANY then the permit statements which comes after that will break the ACL..

Check this bug as well..

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj83685

So The work around is to not to use IMPLICIT DENY at the end again!!

Lemme know if this answered ur question and please dont forget to rate the usefull posts!!

Regards

Surendra

@ Stephen Rodriguez

I'm applying it to the Radio0.802.11G interface.

@blackkrone

I followed the link you showed me, which is pretty much the same thing in creating a filter but they add in an extra step where under Security > Advanced Security > Association Access List.  Now when I enabled this I see one or two packets drop, but I'm still able to pass traffic unlike before when it killed everything.  But I still haven't blocked access to the specified MAC I added under the filters.

@SurendraBG

I don't have access to the second link being that I'm a Cisco guest.  I tried simply entering the configuration using just the CLI, but same result as above.  Unable to block that particular MAC address.

It's back to killing everything again, I'm not sure why it delayed,  but after I configured another Aironet two floors above this one, it all  of a sudden brought my laptop here I'm testing with down.  I find that  very odd.  I really don't understand why this is so complicated, when  its a simple block of a MAC address. 

Here is the configuration after following the instructions from the links above.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP-1stFlrSouthside

!

no logging console

enable secret 5 $1$y1.u$cgb0SR6.PJcu.04NoiDGB0

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

ip domain name cyberdyne.local

!

!

dot11 association mac-list 701

dot11 syslog

!

dot11 ssid GUEST

   vlan 160

   authentication open

   authentication key-management wpa version 2

   wpa-psk ascii 7 083649420A160812401D0D0A3E2A232D

!

dot11 ssid Cyberdyne

   vlan 150

   authentication open

   authentication key-management wpa version 2

   guest-mode

   mbssid guest-mode

   infrastructure-ssid optional

   wpa-psk ascii 7 02570A4D02120E354541074B554643

!

!

!

username Cisco password 7 13094406065F5524

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 150 mode ciphers aes-ccm tkip

!

encryption vlan 160 mode ciphers aes-ccm tkip

!

ssid GUEST

!

ssid Cyberdyne

!

mbssid

station-role root

l2-filter bridge-group-acl

!

interface Dot11Radio0.150

encapsulation dot1Q 150 native

no ip route-cache

bridge-group 1

bridge-group 1 input-address-list 701

bridge-group 1 output-address-list 701

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.160

encapsulation dot1Q 160

no ip route-cache

bridge-group 160

bridge-group 160 subscriber-loop-control

bridge-group 160 block-unknown-source

no bridge-group 160 source-learning

no bridge-group 160 unicast-flooding

bridge-group 160 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

l2-filter bridge-group-acl

!

interface FastEthernet0.150

encapsulation dot1Q 150 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.160

encapsulation dot1Q 160

no ip route-cache

bridge-group 160

no bridge-group 160 source-learning

bridge-group 160 spanning-disabled

!

interface BVI1

ip address 192.168.150.21 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.150.2

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 701 deny   001f.e18a.cf8b   0000.0000.0000

access-list 701 deny   0000.0000.0000   ffff.ffff.ffff

radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

exec-timeout 60 0

password 7 031008190B5E2F4D1F

line vty 0 4

exec-timeout 60 0

password 7 111D4A171A43050D55

line vty 5 15

password 7 13114400065D0A2B7A

!

end

do no access-list 701 deny 0000.0000.0000 ffff.ffff.ffff

Sent from Cisco Technical Support iPhone App

So that last command will revive the connection and get traffic flowing again, but it also allows the restriction on the MAC address I added to pass traffic too.  Does that command cancel out the access-list deny *for that particular MAC* ?  Something is a miss here, very odd.

Sure! I tried with and without the access-list permit.  FYI the allow didn't work, so I needed to use permit.

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname AP-1stFlrSouthside

!

no logging console

enable secret 5 $1$y1.u$cgb0SR6.PJcu.04NoiDGB0

!

aaa new-model

!

!

aaa group server radius rad_eap

!

aaa group server radius rad_mac

!

aaa group server radius rad_acct

!

aaa group server radius rad_admin

!

aaa group server tacacs+ tac_admin

!

aaa group server radius rad_pmip

!

aaa group server radius dummy

!

aaa authentication login eap_methods group rad_eap

aaa authentication login mac_methods local

aaa authorization exec default local

aaa accounting network acct_methods start-stop group rad_acct

!

aaa session-id common

ip domain name cyberdyne.local

!

!

dot11 association mac-list 701

dot11 syslog

!

dot11 ssid GUEST

   vlan 160

   authentication open

   authentication key-management wpa version 2

   wpa-psk ascii 7 083649420A160812401D0D0A3E2A232D

!

dot11 ssid Cyberdyne

   vlan 150

   authentication open

   authentication key-management wpa version 2

   guest-mode

   mbssid guest-mode

   infrastructure-ssid optional

   wpa-psk ascii 7 02570A4D02120E354541074B554643

!

!

!

username Cisco password 7 13094406065F5524

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption vlan 150 mode ciphers aes-ccm tkip

!

encryption vlan 160 mode ciphers aes-ccm tkip

!

ssid GUEST

!

ssid Cyberdyne

!

mbssid

station-role root

l2-filter bridge-group-acl

!

interface Dot11Radio0.150

encapsulation dot1Q 150 native

no ip route-cache

bridge-group 1

bridge-group 1 input-address-list 701

bridge-group 1 output-address-list 701

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface Dot11Radio0.160

encapsulation dot1Q 160

no ip route-cache

bridge-group 160

bridge-group 160 subscriber-loop-control

bridge-group 160 block-unknown-source

no bridge-group 160 source-learning

no bridge-group 160 unicast-flooding

bridge-group 160 spanning-disabled

!

interface FastEthernet0

no ip address

no ip route-cache

duplex auto

speed auto

l2-filter bridge-group-acl

!

interface FastEthernet0.150

encapsulation dot1Q 150 native

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface FastEthernet0.160

encapsulation dot1Q 160

no ip route-cache

bridge-group 160

no bridge-group 160 source-learning

bridge-group 160 spanning-disabled

!

interface BVI1

ip address 192.168.150.21 255.255.255.0

no ip route-cache

!

ip default-gateway 192.168.150.2

ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

ip radius source-interface BVI1

access-list 701 deny   001f.e18a.cf8b   0000.0000.0000

access-list 701 permit 001f.e18a.cf8b   0000.0000.0000

radius-server attribute 32 include-in-access-req format %h

radius-server vsa send accounting

bridge 1 route ip

!

!

!

line con 0

exec-timeout 60 0

password 7 031008190B5E2F4D1F

line vty 0 4

exec-timeout 60 0

password 7 111D4A171A43050D55

line vty 5 15

password 7 13114400065D0A2B7A

!

end

That was my mistake on the copy and paste.  Now that's very odd, it's  working now.  The MAC address is now timing out, and my other devices  are passing traffic, yet when I make the same setting changes in the GUI  it blocks all traffic.  But it is working!! 

So if I want to add other MAC addresses, I noticed it goes underneath the access-list 701 permit.  Will this cause problems? Are access-lists sequential, as in top down?  I don't believe they are, but I want to make sure.

Thank you so much for help  and taking the time to troubleshoot.