Q: What does the controller and AP do when the deny time range is set on the controller?
A: Deny time range in Virtual AP profile limits the access to the network based on the time specified. This feature is useful when in a particular network you want to restrict access to any resources after working hours or during weekends. We can configure time ranges from WebUI > Configuration > Access Control > Time Ranges. The same is applied to Virtual AP profile (AP-Group > Edit AP-Group > Expand and select relevant Virtual AP profile > Select the time range value for "Deny Timerange").
Once this time range setting is applied in Virtual AP Profile, any client which tries to connect to the SSID during these hours, the controller/AP will send a deauth message to the clients after it successfully associates to the SSID. Below are the logs generated on the controller:
Oct 2 21:29:19 :501109: <NOTI> |AP 18:64:72:c4:69:d2@10.7.50.2 stm| Auth request: 18:59:36:08:ee:5c: AP 10.7.50.2-18:64:72:c6:9d:30-18:64:72:c4:69:d2 auth_alg 0
Oct 2 21:29:19 :501093: <NOTI> |AP 18:64:72:c4:69:d2@10.7.50.2 stm| Auth success: 18:59:36:08:ee:5c: AP 10.7.50.2-18:64:72:c6:9d:30-18:64:72:c4:69:d2
Oct 2 21:29:19 :501095: <NOTI> |AP 18:64:72:c4:69:d2@10.7.50.2 stm| Assoc request @ 21:29:18.846077: 18:59:36:08:ee:5c (SN 1588): AP 10.7.50.2-18:64:72:c6:9d:30-18:64:72:c4:69:d2
Oct 2 21:29:19 :501100: <NOTI> |AP 18:64:72:c4:69:d2@10.7.50.2 stm| Assoc success @ 21:29:18.847250: 18:59:36:08:ee:5c: AP 10.7.50.2-18:64:72:c6:9d:30-18:64:72:c4:69:d2
Oct 2 21:29:19 :501080: <NOTI> |AP 18:64:72:c4:69:d2@10.7.50.2 stm| Deauth to sta: 18:59:36:08:ee:5c: Ageout AP 10.7.50.2-18:64:72:c6:9d:30-18:64:72:c4:69:d2 Denied; AP Disable Timerange active
Oct 2 21:29:19 :501000: <DBUG> |AP 18:64:72:c4:69:d2@10.7.50.2 stm| Station 18:59:36:08:ee:5c: Clearing state
Note: Please note that when time range is applied in Virtual AP profile, SSID will be visible; however users will not be able to connect.