Security

We are running ArubaOS 6.1.2.6 and we are looking to block certain mac address from connecting to certain SSID's.

Or

I would like to cerate a "blacklist" of mac addresses to and assign it to a wifi ssid.

how can I go about doing this with the verson of OS we're running?

---

@Ericsante wrote:

We are running ArubaOS 6.1.2.6 and we are looking to block certain mac address from connecting to certain SSID's.

 

Or

 

I would like to cerate a "blacklist" of mac addresses to and assign it to a wifi ssid.

 

 

how can I go about doing this with the verson of OS we're running?

---

I will just say that any access method that forces you to maintain a list of mac addresses has to be able to scale, otherwise it will be come a chore and then probably discontinued.

With that being said you can enforce mac authentication on any SSID by using the instructions here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1126

Hi,

Is there a way to do this using the Virtual Controller?

We're using OAW-AP205 (Alcatel-Lucent branded Instant 205 devices) running on 6.4.3.1-4.2.0.0_51112

I cannot find the Configuration > Security > Authentication > L2 Authentication page.

Probably missing something obvious...

Thanks,

Peter

http://www.arubanetworks.com/techdocs/Instant_41_Mobile/Advanced/Content/UG_files/Authentication/MAC_Authentication.htm

Hi,

Thank you for your reply, however, this was not the original question.

I don't want to limit which devices may access an SSID, I want to control which devices may NOT!

...practically speaking I don't want company laptops to use the guest wifi (simply because different rules and content filtering policies were defined for guests than staff)...

This is really a function of an authentication server with policy decisions. Do you have ClearPass?

Otherwise you'll have to maintain MAC to role assignments on the controller.

No, unfortunately we don't have ClearPass for the moment.

On Instant you can only block a MAC adress for every SSID. (Security -> Blacklisting)

Hi Sven,

Thank you for your reply, the key for me in it was every SSID. I want to block certain MACs from acessing just certain SSID(s).

Basically force company devices to use staff wifi, but not ban them entirely.

For now I can prevent associated hosts accessing WAN or other other zones, but I think it would be more relevant to prevent them accessing the guest WLAN in the first place.

Cheers,

Peter

This is what I understood in your post.

Differentiating is only possible with Clearpass.

What's the intention behind this?

Do employees have less problems in your guest wifi? Free bandwidth?

Hi Sven,

Two very simple things:

1. Company resources are not available from the Guest WiFi, obviously for security reasons. This is obvious for IT people, but not for end users... Long story short: I get calls complaining.."Peter, I cannot access the file server", "Peter, there is something wrong with the system, my email is not working", etc-etc...Yeah, right...try not to use the Guest WiFi...

2. Now you may ask why would they use the Guest WiFi? The reason for that is: Facebook. Social networking is not available using Staff WiFi except for non-working times.

Despite less available bandwidth using Guest WiFi, they choose to use that over the Staff...for facebook. Causing me extra tickets...

Cheers,

Peter

ITPeter,

Do you use group policy to push the wireless settings to computers?  If you do, just setup an additional SSID on company computers that is the same as the guest network, but with a WEP key.  If you do that, the computers will not be able to connect.

I hope that helps.

Hi Colin Joseph,

I like that one! Thank you for the idea!

Cheers,

Peter