04-30-2019 04:25 PM
04-30-2019 09:40 PM
One way to do this is to use client classification. Create you mac object with the list of MAC addresses in it. Then create three user profiles. One profile "Bad" is setup with a non existing vlan (dead end) as default. One profile "Good" is setup with the desired vlan as default. The third profile is setup with the dead end vlan as default but has client classification enabled. Then in the classification rules anything that matches the mac object you created gets redirected to the "Good" profile and all else gets directed to the "Bad" profile and never gets anywhere, since the vlan does not exist past the AP all the packets die there.
Another twist on this that makes troubleshooting easier later on is to have two complete functional vlans with DHCP running. Then the bad vlan either goes no where or better yet has a block everything but DHCP rule on the profile. Then if a client shows up with the address from the bad vlan you know they are not in the mac object list. But you can see them on the client monitor page.