MAC filtering on ISR4K for Wifi network

cameron.nesbitt · ‎11-30-2020

Hi All,

Looking for MAC filtering ideas I can turn in to a config on a few ISR4Ks running Fuji 16.9.5

Use case:

Allow only white-listed MAC devices to access a wireless network and drop all other traffic.

Equipment:

ISR4K with 3 WAN ports and 8 Ether-switch ports:

Current config:

Using ZBFW

Using router on a stick style config over port-channel (can also use interface VLANs courtesy of ether-switch NIM).

DHCP server for clients on WIFI network.

What I want to avoid:

Creating single host DHCP pools for each MAC address. There will be 100s of clients and this will clog the config and be heavy to manage.

What I have tried:

Applying policy-map to service-policy on interface

Applying policy-map to ZBFW

I also know this is possible:

mac address-table static "mac-address" vlan "vlan-id" drop

However, this is the opposite of what I want to achieve, I will have a known list of macs and want to drop everything else.

If I can allow certain MACs and drop all others with a command like this, it would be ideal.

There could be more secure ways but at a bare minimum I would like to stop wireless clients not on the mac white list from getting DHCP addresses. More thorough suggestions are welcomed.

Thanks for your suggestions.

Cheers

Cam

Arne Bier · ‎01-15-2021

It sounds to me like a job for a Radius server. Not sure if the ISR can have a local list of whitelisted MAC addresses. But in general, MAC filtering is done by MAC Auth Bypass (MAB). Every wifi authentication request requires a call to the Radius server to authorise the MAC address. In the case of a WLC GUI it’s just a tick box and Radius Server config