Identifi: could I blacklist a MAC for a certain SSID or AP?

  • 0
  • 2
  • Question
  • Updated 8 months ago
  • Answered
  • (Edited)
Hello, everybody,

I have an ability to blacklist MAC address in Reports>Clients. But doing so I totally block a user for all SSIDs and APs.

Could I block a MAC for a certain SSID/AP?

Many thanks in advance,

Ilya
Photo of Ilya Semenov

Ilya Semenov

  • 4,384 Points 4k badge 2x thumb

Posted 8 months ago

  • 0
  • 2
Photo of Shay Weir

Shay Weir

  • 1,648 Points 1k badge 2x thumb
Yes.  You can blacklist by WLAN....

For the WLAN via CLI enter:
use association-acl-policy CLIENT-BLACKLIST

You must create the Association ACL...ex:
!
association-acl-policy CLIENT-BLACKLIST
 deny AA-BB-CC-DD-EE-FF AA-BB-CC-DD-EE-FF precedence 1 
 PERMIT t 00-00-00-00-00-00 FF-FF-FF-FF-FF-FF precedence 1000
!
(Edited)
Photo of Craig Guilmette

Craig Guilmette, Employee

  • 2,410 Points 2k badge 2x thumb
Are we speaking Extreme wireless controller or Extreme Wing here? 
Photo of Shay Weir

Shay Weir

  • 1,648 Points 1k badge 2x thumb
My suggestion is for WiNG.  Not Extreme IdentiFi.  Apologize for the mis direction.  IT does work great for WiNG though.
Photo of Craig Guilmette

Craig Guilmette, Employee

  • 2,410 Points 2k badge 2x thumb
I wondered why I did not recognize your solution. I am a Extreme IdentiFi ESE and this question was posted under the IdentiFi wireless heading. The below answer from Doug is our only solution as without that a blacklist entry blocks the entire system. 
Photo of Doug Hyde

Doug Hyde, Technical Support Manager

  • 20,140 Points 20k badge 2x thumb
  • If you want to blacklist users on a per WLAN basis you can add the MAC address to the role associated with specific WLAN you want to blacklist them on (keep in mind that the Max Number of Filter Rules per Role is 64).
  • You need to make sure when creating the filter rule in the role for the client to set the 'In filter' and 'out filter' to 'both', and the 'Access Control' to 'Deny'. 
  • If you use this method the client will still be able to connect to the SSID but they will not be able to pass any traffic. This may be a viable solution if you only need to blacklist a few clients. 
  • If you need to blacklist more clients and need to do so on a per WLAN basis you would need to use some kind of authentication (MAC) and use NAC to blacklist.
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,024 Points 20k badge 2x thumb
Yes if you use external authentication like Extreme Control, just put the MAC to a end-system group that isn't allow and link it with the SSID.


Cheers,
Ron