Hi,
we have a setup with multiple ssid's on the same controller.
One of the ssid's (simple wpa2 authentication) has devices which do not belong there (the wpa2 key has been 'communicated').
Blacklisting a mac completely blocks access to every ssid. I basically want to prevent those devices from accessing that specific ssid (let's call it my-mgmt for now)
I believe this can be done by using a derivation-rule. So by tying an aaa profile containing something like :
aaa profile "my-mgmt-aaa_prof"
user-derivation-rules "my-mgmt-rule"
authentication-dot1x "dot1x_prof-cno90"
enforce-dhcp
and :
aaa derivation-rules user "my-mgmt-rule"
set role condition macaddr does-not-equal 8c:70:5a:10:89:24 set-value "authenticated"
set role condition macaddr does-not-equal 64:20:0c:78:de:86 set-value "authenticated"
So i basically allow every device to authenticate, except those specific mac's.
Does this makes sense?