Wireless Access

I want to configure the mac base authentication and want that no other user will be able to connect to the mac ssid. According to the one technical member on air heads community he informed me to create a customized role with policie (any any any deny) except those whom mac addresses are entered in the internal database. i do the same but still other users are able to connect to the mac ssid but with limited connectivity i.e; getting no ip address unable to browse whatever nothing. but i want no user will be able to connect to the mac ssid. 

According to the customized role, if it is ( any any any deny) then why the user is able to connect to the ssid according to this rule?

One more thing if i configured ( any any any deny with blacklist "one time authen failure") then no will be able to connect except mac users.

Customized role (DenyAll) Why the acl not working properly without the blacklist option ? Here are the snapshots.

You need to ensure that "Station Blacklisting" is enabled in the Virtual AP profile.  That is the master switch that says whether or not blacklisting will occur at all for that Virtual AP.

Also, everytime you test, do a "aaa user delete" to kick that user out of the user table, to reset everything.  If the user is still in the user table after disconnecting (5 minutes or so) he will be able to reattach.

Sorry i didnt understand...

Can you explain it once again in simple words. You mean blacklist feature have to be enabled ?

Yes.  In the Virtual AP profile. 

Really shocked...

ACL is not independly working in order to block the unauthorized users.

you mean ACL is not able to block the unauthorized users ? ACL is dependent on the station blacklisitng ? 

ACL should work regardless.  The question is, what role do your users end up in?  A user is required to have an ip address to get into the user table, so if you are blocking everything, they will not end up there.

I would type "show acl hits" to see if any users are hitting your ACL.

Also, confirm the role that users get when they associate.  If they are in the user table, they got the wrong role.  Also, do a "aaa user delete" to kick users off to start from scratch when you are testing.

Also turn on user debugging (config t logging level debugging user), then type "show log user 50" to understand what your users are doing...

(I have created initial role itself)

MAC-SSID-AAA-Profile using these roles

Initial role:   "denyall" containing rules (any any any deny) Station blacklisting is enabled on vap profile. 

MAC Authentication Default Role: Autheniticated

802.1x authentication is not configured.

According to above snapshots, When a user get associated with the mac-ssid it gets the Denyall role with rules (any any any deny) then why unauthorized users are also able to connect to the ssid, why acl is no able to denying them if blacklist is not enabled?  why this rule is not working properly

skype ID: ruhail_maqsood

Can you take a session ?