Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [WLA/WLC] How to create an ACL to block unwanted devices from connecting to a SSID

0

0
Article ID: KB24473 KB Last Updated: 01 Dec 2020Version: 3.0 Summary:

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.

 

This KB provides information on how to create an access-list to block unwanted users from connecting to a SSID.

Symptoms:
How to create an access-list to block unwanted users from connecting to a SSID.
Solution:

To block rogue devices from connecting to a SSID, you can either configure a layer 2 access-list or a blocklist. The main difference between the two is that if a blocklist is used, the devices with the specified MACs will not be able to associate to the AP; if an ACL is used, the same device will associate and possibly even authenticate on the controller, but will not be able to make traffic.

To configure an ACL, perform the following procedure:

  1. Create an ACL with the MAC addresses, for which access has to be denied.
  2. Add an entry for each MAC address on the designated ACL.
  3. After the ACL has been created or modified, it will also have to be commited; else the modifications will not be taken into consideration.

The syntax for adding an entry in an ACL is:
WLC# set security acl name acl-name {permit|deny} mac {any | src-mac-addr} {dest-mac-addr | any | bpdu | broadcast | multicast | pvst} ethertype {ethertype-hex | any | arp | ipv4 | ipv6
An example for an ACL is:
set security acl name mac-acl deny mac 11:22:33:44:55:66 ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff ethertype any
set security acl name mac-acl deny mac AA:BB:CC:DD:EE:FF ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff ethertype any
set security acl name mac-acl permit mac 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 ff:ff:ff:ff:ff:ff ethertype any
commit security acl name acl-mac
Where 11:22:33:44:55:66 and AA:BB:CC:DD:EE:FF are the MAC addresses of the devices, for which access has to be denied. You will also have to apply the ACL to the service-profile, for which it has to be run:
set service-profile test attr filter-id mac-acl.in
Where test is the name of the service-profile, mac-acl is the name of the ACL, and in or out represents inbound or outbound.

Note: This is considered a viable solution for networks that face only a limited number of rogue devices. If the number of unwanted devices increases, it is recommended to configure a blocklist.
Modification History:

2020-12-01: Tagged article for EOL/EOE

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search