Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
821
Views
0
Helpful
5
Replies

block list of clients to specific wlans

Wifi_Eshwar92
Level 1
Level 1

‎06-11-2019 08:55 PM - edited ‎07-05-2021 10:32 AM

Team, Is it possible to block/blacklist list of mac addresses to few wlans instead of global.. thing is i want to block them only from enterprise wlans and not for guest wlan.. if i use disabled clients feature it will block globally, correct? 

Labels:
0 Helpful
5 Replies 5

Sathiyanarayanan Ravindran
Spotlight
Spotlight

‎06-11-2019 11:03 PM

Hi @Wifi_Eshwar92 ,

 

You can't block for specific WLAN. As you said Enterprise you don't want gave access for all the users, I would suggest to go with 802.1x for the enterprise using external radius servers. So that only legitimate users can be connect to the enterprise SSID and others can't.

 

Refer : Central Web Authentication on the WLC and ISE Configuration Example

Regards,
Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)
0 Helpful

Wifi_Eshwar92
Level 1
Level 1
In response to Sathiyanarayanan Ravindran

‎06-11-2019 11:53 PM

we already have ise on that wlan.. but not provisioned to do profile/posture for now... As of now, i have list of mac addresses. just want to blacklist them
0 Helpful

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎06-11-2019 11:59 PM

Hi,

 

I am hoping you are using Cisco WLC ! 

 

You would need to invlove a radius solution like ISE.

 

However, there are few other options that you can take in consideration (if you are not using a radius server for your WLANs). 

MAC Filtering method:

Step1: Collect all MAC address of all your clients that use wireless. From MAC filter you can decide which client can connect to which SSID (or all SSID's if you'd like). you only allow the guy you want to connect to only one SSID to only that SSID and allow others to connect to all SSIDs. This is not feasible if you have large number of users or if you have mobile users that come and go because this needs you to add all mac addresses to filter on all your wireless devices (WLCs or standalone APs).

 

If above stepe doesnt help you then you must go with ISE.

 

Regards

Dont forget to arte helpful posts

0 Helpful

Wifi_Eshwar92
Level 1
Level 1
In response to Sandeep Choudhary

‎06-12-2019 12:50 AM

yes we cant do that.. large number of clients.. so disabled clients will help atleast to block some of the users?
0 Helpful

ammahend
VIP
VIP

‎06-12-2019 06:19 AM

Since you have ISE you can do it, you will built a condition or policy set base on SSID name match like called station ID contains or WLAN ID equals, as well as match endpoint identity store, result will be denied access, the identity store will have MAC address of users who will be denied access of Specific WLAN.

there are multiple ways to do that, lets us know if it works out for you.

-hope this helps-
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card