Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2472
Views
10
Helpful
6
Replies

Block Client on specific wlan

Go to solution
andrey.trushchelev
Level 1
Level 1

‎02-20-2018 06:49 AM - edited ‎07-05-2021 08:16 AM

Good day. I have vWLC on 38-50 IOS XE, 2 APs 27xx, 2 wlans ( Work and Guest)

I need some clients can associate with one of this wlan (Work ) and deny on the other (Guest) .

Authentication with PSK, Sure I can 'forget Guest network' on all of this device, but I need to make it centralized from controller. One more time "if you have an access to Work - you can't connect to Guest, even if you know password"

Exclusion list one for all WLAN. So how can I do it ?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
andrey.trushchelev
Level 1
Level 1

‎03-06-2018 12:56 AM

I've found the answer.

All is the simple

 

 mac address-table static x:x:x:x:x:x vlan Y drop

So SW will drop any packet from this host in specific wlan. Host could not even connect to WLAN in this vlan.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Flavio Miranda
VIP
VIP

‎02-20-2018 08:10 AM

Hi 

 Mac filter could help but on the Corp SSID. For guest is complicated because you may not have control over devices.

 A very good solution is BYOD tool like ISE, but it comes with a price.

 

 

-If I helped you somehow, please, rate it as useful.-

Go to solution
andrey.trushchelev
Level 1
Level 1
In response to Flavio Miranda

‎02-21-2018 01:03 AM

Hi
Yes that's the point. Mac filter do not help me. It would be great if I can filter specific MAC on specific WLAN.
I know about ISE and I will implement it in this year, I hope. But I thought there is another decision to my problem.
Anyway thanks.
0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎02-20-2018 07:50 PM

@andrey.trushchelev wrote:

 

I need some clients can associate with one of this wlan (Work ) and deny on the other (Guest) . 

I agree with Flavio.  ISE is suited for this (but extremely expensive).  

The cheapest method is MS Group Policy.  With our SOE wireless clients, corp SSID takes precedence.  If the corp SSID is visible, then the laptop is denied the ability to join the guest SSID.

Go to solution
andrey.trushchelev
Level 1
Level 1
In response to Leo Laohoo

‎02-21-2018 01:05 AM

HI

Do you mean Microsoft Group Policy ? We use windows/MacOS/Ubuntu

What is SOE ?

 

0 Helpful

Go to solution
andrey.trushchelev
Level 1
Level 1

‎03-06-2018 12:56 AM

I've found the answer.

All is the simple

 

 mac address-table static x:x:x:x:x:x vlan Y drop

So SW will drop any packet from this host in specific wlan. Host could not even connect to WLAN in this vlan.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to andrey.trushchelev

‎03-06-2018 02:27 AM

That's smart. Thanks for sharing!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card