Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

blacklist a group of mac addresses

This thread has been viewed 3 times

  • 1.  blacklist a group of mac addresses

    Posted Aug 29, 2013 03:16 PM

    Is it possible to configure a wireless SSID profile to blacklist, or block certain MAC addresses? This is for a guest wifi that we do not want employees to be able to access with company laptops. I get that whitelisting is possible with enabling the MAC Authentication profile that you want to use, but I'm specificaly looking for blacklisting. 



  • 2.  RE: blacklist a group of mac addresses
    Best Answer

    Posted Aug 29, 2013 03:22 PM

    You can consider an approach I have taken with a couple of customers, it is outlined in this post.  It requires that you have an existing 802.1X network that the laptops have used.

     

    http://community.arubanetworks.com/t5/Authentication-and-Access/Prevent-domain-users-from-joining-guest-network/td-p/35309

     

     

    Alternatively, you can put the MACs in a user defined rule that is assigned to that AAA profile to put them in a "denyall" role or a role that redirects them to a Captive Portal page explaining that the should not be using this; etc.



  • 3.  RE: blacklist a group of mac addresses

    Posted Aug 29, 2013 04:08 PM

    Interesting. We do not have a RADIUS set up as of yet, though I would like to implement it. I'll try using your info to see if I can make it work. 



  • 4.  RE: blacklist a group of mac addresses

    Posted Aug 29, 2013 04:22 PM

    Can I add multiple mac addresses to a single user rule, since it seems that I can only apply one user derivation rule to a AAA profile. 



  • 5.  RE: blacklist a group of mac addresses

    Posted Aug 29, 2013 04:27 PM

    Yes, you can add multiple rules to a UDR; they can be of different types as well; some based on MAC, some DHCP fingerprints, etc.

     

     



  • 6.  RE: blacklist a group of mac addresses

    Posted Aug 30, 2013 10:18 AM

    Ok, i set up a user rule with a bunch of mac addresses in it to force the user role to denyall. Testing it out on my phone it seems to work beautifully. I assume that this only kicks in when a machine authenticates, so if I needed this to kick off currently attached users I would have to wait for them to reboot the machine, which isn't a big deal. 

     

    When removing the "test" device from the list of mac addresses it seems to take some time to push out to access points, but at least it works. Thank you very much for your knowledge. 

     

    :smileyhappy:



  • 7.  RE: blacklist a group of mac addresses

    Posted Aug 30, 2013 10:20 AM

    if you want to kick them off now, you can run the following command.

     

    aaa user del mac <mac>

    or

    aaa user del ip <x.x.x.x>

     

    changes to that UDR rule should be immediate.  The rule will kick in upon association.