Extreme Networks

Hello,

Do you know if there is an easier way to include a client into whitelist to bypass firewall rules on AP? Having to deal with supplemental CLI and adding sing MAC objects every time is not really feasible from the customer's side. Adding a different MAC to supplemental CLI commands every time a specific client connects would be solution as well, MAC range does not seem to be the right option.

A button appearing on client list near by the client name as "Add to whitelist" would be a perfect solution. One of our competitors meets this requirement.

Bests,

Yücel

The following is an excerpt from this page, but I wanted to separate out the part that answers your question: http://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-supplemental-cli.htm

To configure MAC Address Bypass, which is also referred to as a captive web portal whitelist, there are three tasks to perform:

1. Define the MAC objects.
2. Enable MAC Address Bypass for a specific security object.
3. Pair the MAC and security objects.

Define the MAC Address Object

The following is the CLI command syntax to create a MAC whitelist object with a single MAC address or a range of addresses:

mac-object <string> mac-range <mac_addr> - <mac_addr>

To create a single MAC whitelist object containing a single MAC address, enter the following:

mac-object MyMacObject1 mac-range 1111:2222:3333 - 1111:2222:3333

To create a single MAC whitelist object containing a range of MAC addresses, enter the following:

mac-object MyMacObject2 mac-range aaaa:bbbb:cccc - aaaa:bbbb:dddd

• You can configure a maximum of 128 MAC objects, with each MAC object containing up to 255 MAC address entries.

Enable MAC Address Bypass for Specific Security Objects

The following is the CLI command syntax to enable this feature for a specific security object:

security-object <string> security mac-white-list bypass-cwp

For example, to specify an SSID, enter:

security-object vendor security mac-white-list bypass-cwp

• If you have previously created an SSID profile in HiveManager, the security object, or <string> name, must be the same as the SSID name, in this case, vendor.

Pair MAC and Security Objects

Once this feature is enabled, you must pair the bypass-cwp security object to the MAC object that contains the specific MAC addresses that can bypass the captive web portal.

The CLI command syntax to create a MAC object is:

security-object <string> security mac-white-list mac-object <string>

For example:

security-object vendor security mac-white-list mac-object MyMacObject1

Each security-object can have up to eight different MAC objects associated to a specific mac-white-list.

For example, to bind the vendor SSID eight MAC objects, enter the following:

# security-object vendor security mac-white-list mac-object MyMacObject1

# security-object vendor security mac-white-list mac-object MyMacObject2

# security-object vendor security mac-white-list mac-object MyMacObject3

# security-object vendor security mac-white-list mac-object MyMacObject4

# security-object vendor security mac-white-list mac-object MyMacObject5

# security-object vendor security mac-white-list mac-object MyMacObject6

# security-object vendor security mac-white-list mac-object MyMacObject7

# security-object vendor security mac-white-list mac-object MyMacObject8

You can add up to eight different MAC objects to a single mac-white-list. If you attempt to add more than eight objects, the following error message appears:

# security-object vendor security mac-white-list mac-object MyMacObject9

can't bind mac-object to mac-white-list exceeding 8 members!

View Paired Objects

The following is the CLI command syntax to see all of the paired MAC objects for a specific security object:

show security-object <string> security mac-white-list

For example, assuming the object above exists, you can enter the following to view them:

show security-object test-ssid security mac-white-list