Wireless Access

Reply
Aruba Employee
Posts: 27
Registered: ‎04-24-2013

blacklist a group of mac addresses

Is it possible to configure a wireless SSID profile to blacklist, or block certain MAC addresses? This is for a guest wifi that we do not want employees to be able to access with company laptops. I get that whitelisting is possible with enabling the MAC Authentication profile that you want to use, but I'm specificaly looking for blacklisting. 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: blacklist a group of mac addresses

[ Edited ]

You can consider an approach I have taken with a couple of customers, it is outlined in this post.  It requires that you have an existing 802.1X network that the laptops have used.

 

http://community.arubanetworks.com/t5/Authentication-and-Access/Prevent-domain-users-from-joining-guest-network/td-p/35309

 

 

Alternatively, you can put the MACs in a user defined rule that is assigned to that AAA profile to put them in a "denyall" role or a role that redirects them to a Captive Portal page explaining that the should not be using this; etc.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba Employee
Posts: 27
Registered: ‎04-24-2013

Re: blacklist a group of mac addresses

Interesting. We do not have a RADIUS set up as of yet, though I would like to implement it. I'll try using your info to see if I can make it work. 

Aruba Employee
Posts: 27
Registered: ‎04-24-2013

Re: blacklist a group of mac addresses

Can I add multiple mac addresses to a single user rule, since it seems that I can only apply one user derivation rule to a AAA profile. 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: blacklist a group of mac addresses

Yes, you can add multiple rules to a UDR; they can be of different types as well; some based on MAC, some DHCP fingerprints, etc.

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba Employee
Posts: 27
Registered: ‎04-24-2013

Re: blacklist a group of mac addresses

Ok, i set up a user rule with a bunch of mac addresses in it to force the user role to denyall. Testing it out on my phone it seems to work beautifully. I assume that this only kicks in when a machine authenticates, so if I needed this to kick off currently attached users I would have to wait for them to reboot the machine, which isn't a big deal. 

 

When removing the "test" device from the list of mac addresses it seems to take some time to push out to access points, but at least it works. Thank you very much for your knowledge. 

 

:smileyhappy:

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: blacklist a group of mac addresses

if you want to kick them off now, you can run the following command.

 

aaa user del mac <mac>

or

aaa user del ip <x.x.x.x>

 

changes to that UDR rule should be immediate.  The rule will kick in upon association.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: