Showing results for 
Search instead for 
Did you mean: 

block list of clients to specific wlans

Team, Is it possible to block/blacklist list of mac addresses to few wlans instead of global.. thing is i want to block them only from enterprise wlans and not for guest wlan.. if i use disabled clients feature it will block globally, correct? 


Hi @Wifi_Eshwar92 ,


You can't block for specific WLAN. As you said Enterprise you don't want gave access for all the users, I would suggest to go with 802.1x for the enterprise using external radius servers. So that only legitimate users can be connect to the enterprise SSID and others can't.


Refer : Central Web Authentication on the WLC and ISE Configuration Example

Sathiyanarayanan Ravindran

Please rate the post and accept as solution, if my response satisfied your question:)

we already have ise on that wlan.. but not provisioned to do profile/posture for now... As of now, i have list of mac addresses. just want to blacklist them
VIP Mentor



I am hoping you are using Cisco WLC ! 


You would need to invlove a radius solution like ISE.


However, there are few other options that you can take in consideration (if you are not using a radius server for your WLANs). 

MAC Filtering method:

Step1: Collect all MAC address of all your clients that use wireless. From MAC filter you can decide which client can connect to which SSID (or all SSID's if you'd like). you only allow the guy you want to connect to only one SSID to only that SSID and allow others to connect to all SSIDs. This is not feasible if you have large number of users or if you have mobile users that come and go because this needs you to add all mac addresses to filter on all your wireless devices (WLCs or standalone APs).


If above stepe doesnt help you then you must go with ISE.



Dont forget to arte helpful posts


yes we cant do that.. large number of clients.. so disabled clients will help atleast to block some of the users?

Since you have ISE you can do it, you will built a condition or policy set base on SSID name match like called station ID contains or WLAN ID equals, as well as match endpoint identity store, result will be denied access, the identity store will have MAC address of users who will be denied access of Specific WLAN.

there are multiple ways to do that, lets us know if it works out for you.

-Rate helpful posts-
Content for Community-Ad