Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Deny handhelds by MAC address??

Hi,

We have a couple of WLAN's here at our school.

One for handhelds only (hidden SSID PDA) with WPA2, another for all guests with Web authentication.(SSID Hotspot)

Now some of the handhelds are connecting by themselves to the Hotspot wireless network, but their apps won't work correct through the hotspot network.

We want to block the handhelds on the Hotspot WLAN i.e by MAC address.

How can we do that ??

Can't seem to find it in the manual..

Thanks

Hans

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

Nuts!  I didn't see that you are using LWAP.  My deepest apologies for wasting your time. 

MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

19 REPLIES
New Member

Re: Deny handhelds by MAC address??

Not sure which AP you are running but I accomplish this by creating a filter for each SSID one that forwards packets for the MAC address of allowed devices on the internal network and one that blocks packets on the free wi-fi.  I then apply that at the radio level so they can 'connect' to the other but it will not allow an IP to be pulled, so even if they try to switch to by pass our webfilter they cannot, yet visiting clients (we run events with lots of visitors) can connect to the wifi and surf freely.  Works good but I cannot give more specific direction since you didn't mention which device your using.

New Member

Re: Deny handhelds by MAC address??

Hi,

The device we use is the Cisco Aironet AIR-AP1242AG-E-K9  

AP's are configured through the Wireless Lan Controller.

Maybe this helps to be more specific?

Thanks for your assistence, much appreciated :-)

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

some of the handhelds are connecting by themselves to the Hotspot wireless network

Hi Hans,

What SSIDs are the PDAs configured to associate?  Maybe the PDAs have both SSID configured and "Hotspot" SSID is set to connect automatically?

Please don't forget useful posts.  Thanks.

New Member

Re: Deny handhelds by MAC address??

The Hotspot WLAN is discovered automatically, and sometimes the PDA connects to it.

Maybe cause the PDA WLAN is a hidden SSID ?

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

So why not put a password at the "Hotspot" SSID?  Even a simple one.  I've never heard of an application to automatically connect to an SSID without asking.

New Member

Re: Deny handhelds by MAC address??

The Hotspot WLAN is secured with a web password, connecting is possible without password, but when you want to access the Internet, a username/password is required.

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

HTML into the AP.

Go to Services -> Filters -> MAC Address Filters tab.

Please don't forget to rate useful posts.  Thanks.

New Member

Re: Deny handhelds by MAC address??

Yes, I've seen that Tab, but little explanation with it.. that's why I'm here..

I know form other AP I can filter on MAC, but that is to allow the specified MAC's to use the AP.

What I want is create a filter on the Hotspot SSID and deny all handhelds to connect to it.

Would that be possible with this filter?

(BTW, super .. your fast replies!! )

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

I hope you know how to use CLI ...

Access Point ACL Filter Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008058ed26.shtml

New Member

Re: Deny handhelds by MAC address??

CLI is not the problem.

I guess you refer to this in the html file:

Create a MAC address ACL 700.

This ACL does not allow the client 0040.96a5.b5d4 to associate with             the AP.

access-list 700 deny 0040.96a5.b5d4 0000.0000.0000

But how to set the deny only on the SSID Hotspot WLAN?

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

How many radios does your AP have?  If 2 then configure Hotspot SSID to one radio and Handheld SSID to another radio.

Is this viable for you?

New Member

Re: Deny handhelds by MAC address??

Not sure what radios is..

We have four SSID's on the WLC

Is that what radios is ?

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

Can you tell me what is the exact model number of your AP?  In CLI, can you post the output of the command "sh ip interface brief"?

New Member

Re: Deny handhelds by MAC address??

Hi Leolaohoo,

Device is Cisco Aironet AIR-AP1242AG-E-K9

CLI output from the two concerning interfaces :

Interface Name................................... PDA
MAC Address...................................... 00:1a:6d:dd:85:
IP Address....................................... 172.22.1.2
IP Netmask....................................... 255.255.0.0
IP Gateway....................................... 172.22.1.1
VLAN............................................. 11
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.21.1.11
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No

Hotspot:
Interface Name................................... hotspot
MAC Address...................................... 00:1a:6d:dd:85:c7
IP Address....................................... 10.14.2.2
IP Netmask....................................... 255.255.254.0
IP Gateway....................................... 10.14.2.1
VLAN............................................. 14
Quarantine-vlan.................................. 0
Active Physical Port............................. LAG (29)
Primary Physical Port............................ LAG (29)
Backup Physical Port............................. Unconfigured
Primary DHCP Server.............................. 172.31.1.108
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
AP Manager....................................... No
Guest Interface.................................. No

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

Nuts!  I didn't see that you are using LWAP.  My deepest apologies for wasting your time. 

MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008084f13b.shtml

New Member

Re: Deny handhelds by MAC address??

No problem m8 ..

You helped me very well, I'll look in to the file and try some things, looks like this is what I was looking for.

So thanks for time and support !

Cheers

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

If this addresses your issue, can you mark this thread as "Answered"?  Thanks Hans.

Hall of Fame Super Gold

Re: Deny handhelds by MAC address??

Thanks Hans.

New Member

Re: Deny handhelds by MAC address??

Your most welcome

4464
Views
0
Helpful
19
Replies