Wireless Access

I have a single device that I need to prevent from even connecting to any of my SSIDs - I have a couple that use dot X authentication and that's easy enough, but another is a guest network with captive portal.  The device in question doesn't have an account, so it can't log on, but I need it to not be able to even make a connection in the first place.

Is this possible?  I have done a lot of searching around today but I cannot find a solution that has worked so far.

I'm on controller software 8.5.0.2.  Apologies if this question is in the wrong place, this is my first post here.  Thanks in advance!

Are you attempting to do this from the controller or clearpass?

From the controller you could add the device to the blacklist (stm add-blacklist-client)

If your doing clearpass, you just need to send a deny access response when they attempt to connect.

From the controller.  I've tried the command you suggested, and it didn't work.

There are multiple options to block a client.

• Blacklist; however in most cases this blacklist is not permanent
• For a dot1x network just deny the RADIUS request

Open networks and networks with MAC authentication are a little bit difficult but it's possible to block a client on this network.

The trick is to assign a denyall role to the device you want to block.

First create a denyall user.

user-role denyall
!

It's just a dummy user without any ACL.

The second step is to assign the user-role to the device.

If the network isn't using MAC auth (open network without MAC caching) then you can use a user derivation rule to assign the role.

aaa derivation-rules user blockuser
set role condition macaddr equals 00:11:22:33:44:55 set-value denyall
!

aaa profile guest-aaa_profile
user-derivation-rules blockuser
!

Make sure you assing the aaa profile to the virtual AP profile.

For networks with MAC auth (to ClearPass) you can create a rule within ClearPass to return the denyall user-role for the device you want to block. In that case it's not needed to user the derivation rule.

What didn't work about the blacklist command? I just tested on 8.4.x and it worked as expected. It kicked my device off and won't even let me associate.

You have to be in the regular context to enter the command

stm add-blacklist-client xx:xx:xx:xx:xx:xx

Here's some more information About Blacklist

The blacklist is in most cases not permanent. If the blacklist timer is set to 0 this will work. Otherwise the mac address will be removed from the blacklist after the configured time

---

@Willem Bargeman wrote:

The blacklist is in most cases not permanent. If the blacklist timer is set to 0 this will work. Otherwise the mac address will be removed from the blacklist after the configured time

---

You are correct, unless you change the time it isn't permanent.

ap ap-blacklist-time 0

However he did specify he was trying to do this soley from the controller, and that is the only way I am aware of that accomplishes his goal.

---

@cwickline14 wrote:

 

---

@Willem Bargeman wrote:

The blacklist is in most cases not permanent. If the blacklist timer is set to 0 this will work. Otherwise the mac address will be removed from the blacklist after the configured time

---

You are correct, unless you change the time it isn't permanent.

ap ap-blacklist-time 0

However he did specify he was trying to do this soley from the controller, and that is the only way I am aware of that accomplishes his goal.

---

If the blacklist time is not 0 you can use the derivation rules to assign a denyall user-role

---

@Willem Bargeman wrote:

---

@cwickline14 wrote:

 

---

@Willem Bargeman wrote:

The blacklist is in most cases not permanent. If the blacklist timer is set to 0 this will work. Otherwise the mac address will be removed from the blacklist after the configured time

---

You are correct, unless you change the time it isn't permanent.

ap ap-blacklist-time 0

However he did specify he was trying to do this soley from the controller, and that is the only way I am aware of that accomplishes his goal.

---

If the blacklist time is not 0 you can use the derivation rules to assign a denyall user-role

---

it helped me to figure out my problem thanks for the post 

Chris,

What do you mean by "regular context"?  That must be the part tripping me up - I logged into CLI and entered the command you suggested, and while it didn't give me any errors, my device remains connected to the network.

Not configuration context, (operator context I believe is the actual term)

Here's an example of the full command I ran and it worked

(MD-1) [MDC] #stm add-blacklist-client 00:01:02:03:04:05:06

I'm running that on the MD that my device is connected to, if you have multiple you may have to figure out which MD your device is connected to.

As a side note, I haven't used this in production, I usually have Clearpass handle the denying of clients