Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX/AX] Maximum MAC address limit in Access Point-AX411



Article ID: KB28796 KB Last Updated: 21 Apr 2014Version: 1.0

This article explains the maximum number of MAC addresses allowed in Access Point-AX411, and shows how to authenticate users if the limit is exceeded.


An attempt to configure more than 32 MAC addresses will result in the error below:

+ wlan {
+ access-point AP1 {
+ access-point-options {
+ station-mac-filter {
+ allow-list {
+ mac-address [ 00:26:88:ea:13:03 00:26:88:ea:13:04 00:26:88:ea:13:05 00:26:88:ea:13:06
00:26:88:ea:13:07 00:26:88:ea:13:08 00:26:88:ea:13:09 00:26:88:ea:13:10
00:26:88:ea:13:11 00:26:88:ea:13:12 00:26:88:ea:13:13 00:26:88:ea:13:14
00:26:88:ea:13:15 00:26:88:ea:13:16 00:26:88:ea:13:17 00:26:88:ea:13:18
00:26:88:ea:13:19 00:26:88:ea:13:21 00:26:88:ea:13:22 00:26:88:ea:13:2
00:26:88:ea:13:24 00:26:88:ea:13:25 00:26:88:ea:13:26 00:26:88:ea:13:27
00:26:88:ea:13:28 00:26:88:ea:13:29 00:26:88:ea:13:30 00:26:88:ea:13:31
00:26:88:ea:13:32 00:26:88:ea:13:33 00:26:88:ea:13:34 00:26:88:ea:13:35
00:26:88:ea:13:36 00:26:88:ea:13:37 00:26:88:ea:13:38 00:26:88:ea:13:39
00:26:88:ea:13:40 00:26:88:ea:13:41 ];
+         }
+      }
+    }
+ }
+ }

root# commit check
[edit wlan access-point AP1 access-point-options station-mac-filter allow-list]
number of elements exceeds limit of 32
error: configuration check-out failed: (number of elements exceeds limit)


Up to 32 MAC addresses can be configured for local authentication per Access Point. That is the limit.

Authenticating users based on MAC addresses

MAC authentication allows you to control access to an access point based on client MAC addresses.

Depending on how you set the filter, you can either allow only clients whose MAC addresses are on a filter list, or deny clients that are on the list.

If the number of devices in the network is small, a local database of allowed and denied MAC addresses is created.

You can choose to recognize authorized (allow-list) mac-addresses or unauthorized (deny-list) mac-addresses.

Procedure for Local Authentication

To configure a MAC filter list:

  • Configure the WLAN access point and specify the client MAC address/addresses.

root# set wlan access-point AP1 access-point-options station-mac-filter allow-list mac-address [00:26:88:ea:13:03 00:26:88:ea:13:30]

  • If you have finished configuring the device, commit the configuration:

root# commit

If the network is large, you can use the following:

radius authentication <mac-authentication-type radius>

To configure <mac-authentication-type radius>, use the command below:

root#set wlan access-point AP1 radio 1 virtual-access-point 1 security mac-authentication-type radius

The client’s MAC address is checked against a RADIUS server and the globally configured allow or deny action is used. When MAC authentication on the RADIUS server is set to deny mode, the presence of a specific MAC address on the RADIUS server is used to deny network access to that MAC address. If an entry for the client’s MAC address is not found on the RADIUS server, the opposite action of the globally configured action is used.


To verify that the configuration is working properly, use the commands below:

show wlan access-points <name>

show wlan access-points <name> detail

show wlan access-points <name> virtual-access-points

show wlan access-points <name> client-associations

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search