Aironet 1600 privilege level for MAC Filtering

patrick mignon · ‎12-19-2013

Hi,

I want to permit from a user profile with the telnet CLI command to configure the new MAC address on the dot11 association mac-list 700

I have create the user 14 with the followed commands:

enable secret level 14 5 **************

enable secret 5 **************

privilege configure level 14 access-list

privilege exec level 14 write memory

privilege exec level 14 write

privilege exec level 14 configure terminal

privilege exec level 14 configure

privilege exec level 14 show dot11 associations client

privilege exec level 14 show dot11 associations

privilege exec level 14 show dot11

privilege exec level 14 show access-lists

privilege exec level 14 show

Access from login privilege 14

1602AP16#show privile
Current privilege level is 14

1602AP16#show access-l
Bridge address access list 700
    permit 100b.a965.7384   0000.0000.0000 (2 matches)
    permit 0026.c659.b182   0000.0000.0000
    permit 0019.d2c2.96c0   0000.0000.0000

OK

add the new MAC address

1602AP16(config)#access-list ?
<1-99>       IP standard access list
<100-199>    IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299>    Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799>    48-bit MAC address access list

1602AP16(config)#access-list 700 permit 0026.c659.b182 0000.0000.0000
^
% Invalid input detected at '^' marker.

I can open the user level 14 config and when I add the new MAC address I received the " Invalid input detected " message

What is wrong ?

Is it only permit at level 15 ?

IOS version :

Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)

Thank you to shared me yours comments !

Patrick

Sandeep Choudhary · ‎12-26-2013

Hi Patrick,

Please use priviliage level 15 and then try.

Enter global configuration mode on the AP CLI:

This ACL allows the client 0026.c659.b182 to associate with the AP.

access-list 700 permit 0026.c659.b182 0000.0000.0000

!--- This ACL denies all traffic to and from

!--- the client with MAC address 0026.c659.b182.

dont forget to apply this MAC-based ACL to the radio interface:

dot11 association mac-list 700

Regards

patrick mignon · ‎12-30-2013

Hi Sandee,

Thank you!

But I don't want to share the privilege 15 and give the full access on the AIR.

I want to permit to add the new MAC in the ACL 700 with anotther privilege level.

Sorry do you get another proposal ?

Best Regards

Patrick

Sandeep Choudhary · ‎12-30-2013

Hi Patric,

Can u try this :

privilege configure level 14 access-list

and all other with priv 13.

privilege exec level 13 write memory

privilege exec level 13 write

privilege exec level 13 configure terminal

privilege exec level 13 configure

privilege exec level 13 show dot11 associations client

privilege exec level 13 show dot11 associations

privilege exec level 13 show dot11

privilege exec level 13 show access-lists

privilege exec level 13 show

and then try to configure it.

If still fails then u must use priv 15 .

Regards

patrick mignon · ‎12-31-2013

Hi Sandee,

I tested with priviledge 6 or 13 and it is the same

!

username ose_admin privilege 13 password ******

enable password level 13 *******

privilege ipsnacl level 13 permit
privilege configure level 13 access-list
privilege exec level 13 write memory
privilege exec level 13 write
privilege exec level 13 configure terminal
privilege exec level 13 configure
privilege exec level 13 show dot11 associations client
privilege exec level 13 show dot11 associations

1602AP16(config)#access-list 700 permit a44e.3174.ed84 0000.0000.0000

^

% Invalid input detected at '^' marker.

The rest of commands are working :-(

Thank you !

And ***Happy New Year !! ***