Cisco Support Community
Community Member

Block clients from individual wlan

                I have 5508 with 2 WLANS  (corp, guest) I would like to be able to block certain users via MAC address from CORP but not guest.

Can this be done.

CORP is using WPA2+AES
GUEST is using Web Auth   ( guest is not setup as a "guest vlan" in the config, just a regular wlan.


Cisco Employee

Re: Block clients from individual wlan

You can use mac filtering. Not the most secure way but can do the trick for most users. That said mac addresses can be easily spoofed.

Sent from Cisco Technical Support iPhone App

Community Member

Re: Block clients from individual wlan


Like Viren said mac-address filtering is not the most secure way as they can be easily spoofed.

Why don't you try Peer-to-peer blocking.

Peer-to-peer blocking is applied to individual  WLANs, and each client inherits the peer-to-peer blocking setting of the  WLAN to which it is associated. Peer-to-Peer enables you to have more  control over how traffic is directed. For example, you can choose to  have traffic bridged locally within the controller, dropped by the controller, or forwarded to the upstream VLAN.

For more on this you can ckeck the following short cisco doc:

Community Member

Re: Block clients from individual wlan

ok os I dont see either of these as being what I am looking for.
My problem is with personal device users connecting to my local corp network instead of guest.

All they have to do is enter their domain auth and they are on the corp network. I would to block them from doing so, but if I blacklist their MAC they are blocked from CORP and GUEST.
I am using Cisco ACS as auth via AD.


Re: Block clients from individual wlan

There is one way to achieve this. You can use client certificates on your corp ssid.

Block clients from individual wlan


I am not understanding how personal device users are connecting to the CORP WLAN if they don't have credentials? If they don't have credentials then they will not be able to connect to the WLAN.

If they have credentials then they are authorized to connect. What is the problem then?

Please clarify.



Rating useful replies is more useful than saying "Thank you"
CreatePlease to create content