Solved: Re: MAC filtering on 1602i

trih · ‎03-05-2018

I have a SAP1602i access point and I would like to only permit clients access to the WLAN based on MAC addresses. Is it possible and how?

Sandeep Choudhary · ‎03-06-2018

Final config must look like this:

----------------

access-list 701 permit 04f7.e4ea.5b66 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
!
interface Dot11Radio1
l2-filter bridge-group-acl
!
interface Dot11Radio0
l2-filter bridge-group-acl
!
int Gig0
l2-filter bridge-group-acl
!

dot11 association mac-list 701

------------

Regards

Dont forget to rate helpful posts

View solution in original post

Ric Beeching · ‎03-05-2018

Yep are you running it as Autonomous or Lightweight (with a WLC)?

Ric

-----------------------------
Please rate helpful / correct posts

trih · ‎03-05-2018

Autonomous.

Sandeep Choudhary · ‎03-05-2018

Here is the guide:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116582-configure-ap-00.html

Guide:

AP# configure terminal
Create a MAC address ACL 701:
access-list 701 deny 0811.967e.c384 0000.0000.0000
.
.
.add more mac address...

Note: This ACL denies all traffic to and from the client with MAC address 0811.967e.c384.

apply this MAC-based ACL to the radio interface:
!

Config terminal
dot11 association mac-list 701

REgards

Dont forget to rate helpful posts

trih · ‎03-05-2018

First, I don't want a deny access list, I don't know all MAC addresses on devices in the world.

So it should be a permit access list.

Second, the command dot11 association mac-list 701 cannot be executed. "association" is not a known command under dot11.

Sandeep Choudhary · ‎03-05-2018

my fault...

yes it should be PERMIT not deny.

Second, the command dot11 association mac-list 701 cannot be executed. "association" is not a known command under dot11.

Configure like this:

access-list 701 permit 0026.5a0e.3123 0000.0000.0000
access-list 701 permit 0027.5a0e.3123 0000.0000.0000
access-list 701 permit 0028.5a0e.3123 0000.0000.0000
access-list 701 permit 0029.5a0e.3123 0000.0000.0000

and apply it to RADIO interface by using the command:

dot11 association mac-list 701

another method is here:

https://mrncciew.com/2013/03/09/autonomous-ap-configuring-filters/

Regards

Dont forget to rate helpful posts

trih · ‎03-05-2018

Have tried it and again "dot11 association mac-list 701" cannot be executed. "Association" is not a known command under dot11.

Sandeep Choudhary · ‎03-05-2018

ok then one more way is to use filter bridge under radio interface:

Example: Block one address and allow others....you can modify it.....

access-list 701 deny 0026:1829:2726 0000.0000.0000
access-list 701 permit 0000.0000.0000 ffff.ffff.ffff
!
interface Dot11Radio1
l2-filter bridge-group-acl
!
interface Dot11Radio1.14
bridge-group 14 input-address-list 701
bridge-group 14 output-address-list 701

Regards

Dont forget to rate helpful posts

trih · ‎03-06-2018

Dosen't work.

With the MAC filtering I would like to permit access to only the MAC addresses I know. Ex. only my laptop.

Sandeep Choudhary · ‎03-06-2018

can you paste the running confg from AP..

Sandeep Choudhary · ‎03-06-2018

Final config must look like this:

----------------

access-list 701 permit 04f7.e4ea.5b66 0000.0000.0000
access-list 701 deny 0000.0000.0000 ffff.ffff.ffff
!
interface Dot11Radio1
l2-filter bridge-group-acl
!
interface Dot11Radio0
l2-filter bridge-group-acl
!
int Gig0
l2-filter bridge-group-acl
!

dot11 association mac-list 701

------------

Regards

Dont forget to rate helpful posts

trih · ‎03-06-2018

It did. Thanks for the help.