This article explains the maximum number of MAC addresses allowed in Access Point-AX411, and shows how to authenticate users if the limit is exceeded.
An attempt to configure more than 32 MAC addresses will result in the error below:
+ wlan {
+ access-point AP1 {
+ access-point-options {
+ station-mac-filter {
+ allow-list {
+ mac-address [ 00:26:88:ea:13:03 00:26:88:ea:13:04 00:26:88:ea:13:05 00:26:88:ea:13:06
00:26:88:ea:13:07 00:26:88:ea:13:08 00:26:88:ea:13:09 00:26:88:ea:13:10
00:26:88:ea:13:11 00:26:88:ea:13:12 00:26:88:ea:13:13 00:26:88:ea:13:14
00:26:88:ea:13:15 00:26:88:ea:13:16 00:26:88:ea:13:17 00:26:88:ea:13:18
00:26:88:ea:13:19 00:26:88:ea:13:21 00:26:88:ea:13:22 00:26:88:ea:13:2
00:26:88:ea:13:24 00:26:88:ea:13:25 00:26:88:ea:13:26 00:26:88:ea:13:27
00:26:88:ea:13:28 00:26:88:ea:13:29 00:26:88:ea:13:30 00:26:88:ea:13:31
00:26:88:ea:13:32 00:26:88:ea:13:33 00:26:88:ea:13:34 00:26:88:ea:13:35
00:26:88:ea:13:36 00:26:88:ea:13:37 00:26:88:ea:13:38 00:26:88:ea:13:39
00:26:88:ea:13:40 00:26:88:ea:13:41 ];
+ }
+ }
+ }
+ }
+ }
[edit]
root# commit check
[edit wlan access-point AP1 access-point-options station-mac-filter allow-list]
'mac-address'
number of elements exceeds limit of 32
error: configuration check-out failed: (number of elements exceeds limit)
Up to 32 MAC addresses can be configured for local authentication per Access Point. That is the limit.
Authenticating users based on MAC addresses
MAC authentication allows you to control access to an access point based on client MAC addresses.
Depending on how you set the filter, you can either allow only clients whose MAC addresses are on a filter list, or deny clients that are on the list.
If the number of devices in the network is small, a local database of allowed and denied MAC addresses is created.
You can choose to recognize authorized (allow-list) mac-addresses or unauthorized (deny-list) mac-addresses.
Procedure for Local Authentication
To configure a MAC filter list:
- Configure the WLAN access point and specify the client MAC address/addresses.
root# set wlan access-point AP1 access-point-options station-mac-filter allow-list mac-address [00:26:88:ea:13:03 00:26:88:ea:13:30]
- If you have finished configuring the device, commit the configuration:
root# commit
If the network is large, you can use the following:
radius authentication <mac-authentication-type radius>
To configure <mac-authentication-type radius>, use the command below:
root#set wlan access-point AP1 radio 1 virtual-access-point 1 security mac-authentication-type radius
The client’s MAC address is checked against a RADIUS server and the globally configured allow or deny action is used. When MAC authentication on the RADIUS server is set to deny mode, the presence of a specific MAC address on the RADIUS server is used to deny network access to that MAC address. If an entry for the client’s MAC address is not found on the RADIUS server, the opposite action of the globally configured action is used.
Verification
To verify that the configuration is working properly, use the commands below:
show wlan access-points <name>
show wlan access-points <name> detail
show wlan access-points <name> virtual-access-points
show wlan access-points <name> client-associations