Re: C9800 MAC Filtering on Particular APs

Sanju_13 · ‎03-17-2026

Hi Everyone,

We have 5 access points deployed on each of Floor A and Floor B. The requirement is to block a specific client MAC address on Floor A, while allowing the same client to connect normally on Floor B.

The WLAN is centrally switched using a Cisco 9800 WLC. I would like to understand whether this use case is feasible using the internal AAA server on the controller. (Don't have any External Radius Server)

If anyone has implemented a similar setup or can share insights on the best approach.

Thanks in advance.

Flavio Miranda · ‎03-17-2026

@Sanju_13

There is one attribute you could test which is vlan

mab request format attribute {1 groupsize size separator separator [lowercase | uppercase] | 2 {0 | 7 | LINE} LINE password | 32 vlan access-vlan}

However, if your intention is control client roaming between floor, which is an odd problem we often see in multifloor offices, this is not going to work.

Sasquatch_13 · ‎03-17-2026

@Flavio Miranda
Thanks for your reply.
Our Goal is to block user on 'Floor A' APs only, is it feasible with central switching ?

Flavio Miranda · ‎03-17-2026

I dont believe this is possible, honestly. If you are using only one SSID, you can not prevent the client to connect to the SSID. That´s why the VLAN parameter called my attention. Possibly that could be a shot.

But, client will try to raom from floor A to B anyway

Scott Fella · ‎03-18-2026

I have to agree with @Flavio Miranda. Even if you were to get this working (you can with ISE as an example), you would break roaming and cause client experience issues. Why not just have separate SSID's, and that way you can control seperation better and maybe without having to use any mac filters. Always keep in mind the client experience before trying to implement solutions in which users will end up complaining and then you will have to figure out a new solution.

-Scott
*** Please rate helpful posts ***

Leo Laohoo · ‎03-18-2026

@Sanju_13 wrote:
We have 5 access points deployed on each of Floor A and Floor B. The requirement is to block a specific client MAC address on Floor A, while allowing the same client to connect normally on Floor B.

This runs counter to what WiFi "roaming" is.

Blocking MAC address is "old technology". And what happens if the owner of this clients gets "smart" and enables "random MAC address"?

If this is Windows, Apple OS (maybe Linux too), it can be scripted for a wireless client to join a specific MBSSID (provided the AP does not get replaced).

Sasquatch_13 · ‎03-19-2026

Thanks everyone
We have plan to test this weekend with Duplicate SSID and Different Policy Tag on Floor A APs, I think this will work according to the requirement.

Karsten Iwen · ‎03-19-2026

Speaking about requirements. What do you want to achieve eventually? What is the reasoning behind that? Perhaps the solution is something other/better than "blocking a client on floor A".

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Sasquatch_13 · ‎03-19-2026

Hi @Karsten Iwen ,

We have a slightly unusual requirement for a VIP user.

The user primarily sits on Floor A and uses a dedicated Wi-Fi network on his Corp Device for Trading. He also occasionally uses the Board Room on Floor B.

The requirement is:

When the user is on Floor A, his device should not automatically connect to the corporate Wi-Fi.
However, when he moves to the Board Room on Floor B, he should be able to connect to the same corporate Wi-Fi without any issue.

Looking for suggestions on how this behavior can be achieved, or if there are any recommended design approaches or workarounds.

Karsten Iwen · ‎03-19-2026

Not quite a VIP if you treat him that way. 🤣 Use the right directional antennas so that there is no reception on floor A. Otherwise, this needs some more thinking ...

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Leo Laohoo · ‎03-19-2026

@Sasquatch_13 wrote:

When the user is on Floor A, his device should not automatically connect to the corporate Wi-Fi.

However, when he moves to the Board Room on Floor B, he should be able to connect to the same corporate Wi-Fi without any issue.

This is a "roaming" issue with the user's wireless client. If this wireless client is a Windows laptop, post the complete output to the command "netsh wlan show drivers".

I am going to suspect the wireless NIC driver has never been updated.

pieterh · ‎03-21-2026

The requirement is:

When the user is on Floor A, his device should not automatically connect to the corporate Wi-Fi.
However, when he moves to the Board Room on Floor B, he should be able to connect to the same corporate Wi-Fi without any issue.

this is just setting "do not connect automatically" for the corporate WLAN setting in the client configuration, not the wireless network

Rich R · ‎03-22-2026

> We have plan to test this weekend with Duplicate SSID and Different Policy Tag on Floor A APs,
Duplicate SSID will not solve the problem. The client will still try to roam.
2 different SSIDs with auto-join on for one but not the other (on the client) might do it though.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

pieterh · ‎03-22-2026

that is exacly my point
The user primarily sits on Floor A and uses a dedicated Wi-Fi network on his Corp Device for Trading.
-> create an SSID TRADING

He also occasionally uses the Board Room on Floor B usin the corporate Wi-Fi.
-> create an SSID CORP and configure the WLAN on the client to only connect when manually selected

In the Settings app on your Windows device,
select Network & internet > Properties , then, next to Wi-Fi network password, select Show.
disable "connect automatically when in range"