Wireless Access

Reply
Community Administrator

Mobility Master log on

what i try to do is:

If a client named "volkswagen 1234"

trying to log on Mobility Master, then this client should have access into the Network  if it comes out of the IP address

range 192.168.20.0   subnet Mask  255.255.255.0

 

where and how can this be programmed?

 

In the GUI from Mobility Master> Configuration >Roles &  Policies >    Logon Control Restriction

Here I try to restrict wireless Clients like Tablets or Laptops .

Example:

One Client shut be able to connect to WIFI  if he is in Building 1    IP Range 192.168.1.0   Subnetzmask   255.255.255.0

But when the same Client cames from Building 2     IP Range 192.168.2.0   Subnetzmask   255.255.255.0   the he should be restricted out.

 

posting for a client.

Thanks,

Greg_Weaver

Regular Contributor I

Re: Mobility Master log on

Hi Greg,

 

Is the intention here to restrict the login to the Mobility Master or the Wifi  and or both? 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Community Administrator

Re: Mobility Master log on

given i'm posting for a client, both options might be applicable for them. Any insight is greatly apprecaited. 

Regular Contributor I

Re: Mobility Master log on

Refering to the example scenario given by your client,

Example:

One Client shut be able to connect to WIFI  if he is in Building 1    IP Range 192.168.1.0   Subnetzmask   255.255.255.0

But when the same Client cames from Building 2     IP Range 192.168.2.0   Subnetzmask   255.255.255.0   the he should be restricted out.

 

This can be done in a two step process.

First : Create a netdestination pointing to the vlan that the SSID is being broadcast on (this can be found in the configuration> wlan; check the VAP profle for which VLAN is mapped).

Create a Netdestination for each of the networks in building 1 and 2

 

It is going to look like this ;

(config)# netdestination "Wifi"

network 10.0..0.0 255.0.0.0

 

(config)# netdestination "Building-1"

network 192168.1.0 255.255.255.0

 

(config)# netdestination "Building-2"

network 192.168.2.0 255.255.255.0

 

refer the AOS 8.5 UG (Pg. 273) to create a netdestination

 

Second : Create a IP SACL as follows

 

ip access list session "Restrict logon to wifi"

// the format is "source destination service action"

 

// The first Access control entry is going to be 

Building-1 Wifi any permit position 1

Building-2 Wifi any deny position 2

 

You could choose to ignore the second 
ACE as an implicit deny all statement is going to be added but i recommend to keep it on for clarity.

 

Finally map this SACL into the pre-auth / initial role of the AAA profile for the SSID.

 

Let me know if it works

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Community Administrator

Re: Mobility Master log on

Thank you. I will let you know shortly

Community Administrator

Re: Mobility Master log on

That was what he was looking for, thank you for your help!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: