Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1475
Views
5
Helpful
5
Replies

Blocking Specific MAC from connecting to a specific SSID

mohammad2
Level 1
Level 1

‎12-16-2018 04:13 AM - edited ‎07-05-2021 09:36 AM

WLC Model: Cisco 5520

SW Ver: 8.2.161.0

We have multiple SSIDs configured and each is mapped to a certain VLAN on the network.

 

I'd like to block certain MAC from connecting to a particular SSID on the WLC.

Using MAC filter doesn't help as it allows list based.

Using disabled clients Blocks Client MAC globally and blocks the MAC from connecting to any SSID which is not desired.

 i need to just block the particular MAC only for one SSID...

so how to do that on WLC

Labels:
0 Helpful
5 Replies 5

Francesco Molino
VIP Alumni
VIP Alumni

‎12-16-2018 07:56 AM

Hi

Do you have a radius server?
Using only wlc, you can achieve this but the other way around, meaning you'll create a list mac filter on wlc and only these mac can connect to the ssid. Mac addresses not present in this list won't be able to connect. Take a look here:
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html

If you have a radius, you can create a group with denied mac and tell radius to deny connection for this specific group whereas all others can hit the default rule allowing access.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

mohammad2
Level 1
Level 1
In response to Francesco Molino

‎12-16-2018 09:27 PM

Dear Franceso,

Thanks for your reply...

"Using only wlc, you can achieve this but the other way around, meaning you'll create a list mac filter on wlc and only these mac can connect to the ssid. Mac addresses not present in this list won't be able to connect."

MAC Filtering Lists i know, we already have a SSID with MAC Filtering enabled and i know how it work, thats not what i want.

For Eg:i have 3 SSID,

1.SALES 2.HR 3.PROJECT

i want to just block a Client MAC in SSID "SALES" but he should be able to connect to other SSID "HR" and "PROJECT"

is it possible..??

 

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to mohammad2

‎12-16-2018 10:04 PM

Maybe I've not been too clear in my previous answer.
To summarize, it's not possible (nothing I'm aware of) to block a single mac address for 1 ssid.
That's why I've explained the embedded feature on wlc is just to specify which mac addresses you want to allow.
What i suggested is to use a radius server to help you achieve what you want to do.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

mohammad2
Level 1
Level 1
In response to Francesco Molino

‎12-16-2018 10:17 PM

Thankyou,

can you brief how is it can be done in radius server

Francesco Molino
VIP Alumni
VIP Alumni
In response to mohammad2

‎12-17-2018 07:58 PM

With a radius server, let's take ise as example:
- create a mab group with the specific mac you want to deny
- create a rule saying:
> If normalised radius ssid contains SALES and identity group equals MABDENY then push authorization profile Deny

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card