Controllerless Networks

Hello,

 

I have just over 20 IAP 225s' that are on 9 different vlans, hence 9 different virtual controllers. We are going to rectify this during the summer, but for now here is my question.

 

Is there a way to blacklisting or whitelist clients either via mac address, device type or OS?

 

I have a list of iPad mac addresses that should be the only devices connecting to a particular SSID, and I can generate a list of unauthroized devices via putty that I could use for an import if this was possible.

 Any ideas?

 Version:6.4.2.6-4.1.1.7_50209

 

#AP225

This is really a function of network authentication. Do you have ClearPass?

I do not have clearpass.

What RADIUS solution are you using?

We were using a radius server which ran from our Domain controller, this server crashed, and we are now simply using WPA2 Personal authentication.

 

 

Do you have AIrwave?  

 

In addition, you can play around with role-based access in the SSID security settings.  There are conditions you can put in there like Mac Address BEGINS WITH or DHCP fingerprint CONTAINS, etc... that should help.  If those filters hit, then you could assign a denyall role.

no Airwave. ANd I do not see a way to filter by MAC address starts with, as this would help.

I have 3 SSIDs right now. I only need to blacklist items on one SSID. I only want ipads to connect to this SSID. No phones, no andriod devices, etc. 

 

I have a list of MAC addresses of the approved devices, and a mac list of the devices that I want to blacklist. THe blacklist count is much smaller at this time.

In the access settings for the SSID, there should be a slider where you can toggle to role-based...then you get a box labeled role assignment rules...one of them in this drop down box is mac address.  

 

The below is a screenshot from Airwave but it's nearly identical in the virtual controller...

 

Before you do this, create a role and call it denyall and have a deny statement in there.  If anything matches the role assignment rules, it will be assigned the denyall role and not get any access.

 

Alternatively, you could have the role assignment be for the full access role and the default role for this SSID would be denyall meaning that only devices that match the role assignment rules will be allowed access.

 

 

 

I dont see the option anywhere for MAC address. Also, I added 60+ MAC addresses manually, and the devices are still being listed as clients. I've rebooted all access points, tried disconnecting the devices manually, but they still reconnect.

 

 

 

Edit the Network (SSID) instead and in Access is where you will see the "roles" option where you can create that role.
The section you are in won't get you there.

OK I see this now. But here is another issue. I manually added 60 blacklist mac Addresses and they are still getting on our wifi. I have manaully disconnected these devices, rebooted the APs, controllers, etc but they still gain access.

 

Not sure how to make this work.

 

 

You have to enable blacklisting in the SSID

I did

So I created a workaround for this, it worked for me and its easier than manually adding a lot of clients, especially if you have mutiple vlans like I do.

 

First, from the IAP, backup the configuration. If you have not manually added a blacklist client, do so first.

 

I then use putty to connect to my IAPs and log the entire session. I use the command "show-clients" and then exit. I then open the log in excel and delete everything but the mac addresses of the devices you want to blacklist. I then concatenate the mac address along with the text "blacklist-client" so the text now reads "blacklist-client XX:XX:XX:XX:XX:XX"

Now go back to the configuration, open with preferred editing program. Find the area where the blacklisted items reside:

blacklist-time 43200
auth-failure-blacklist-time 43200
blacklist-client XX:XX:XX:XX:XX:XX

 

It here that you want to copy and paste all of the "blacklist-client XX:XX:XX:XX:XX:XX" items you have in your excel sheet. Save the config as something else in case something goes wrong, restore the configuration you just saved and your clients are added.