Reset Search
 

 

Article

How to create an Association ACL using CLI

« Go Back

Information

 
TitleHow to create an Association ACL using CLI
Objective
Creating a MAC association-ACL from the CLI
Environment
  • WiNG 5.x 
  • RFS series controllers 
  • NX series controllers 
  • VX series controllers 
  • WiNG APs (non legacy)
Procedure
1. Login to the CLI of controller / AP [if standalone], under the global configuration mode, enter the following command to create the mac association-acl

Code syntax:
association-acl-policy <policy name> 
 [ permit | deny ]  [Starting MAC address of a range of MACs] [Ending MAC of a range of MACs (optional if a single mac is to be added)] precedence 1
commit write

Sample code as below:
rfs4000-882A99#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
rfs4000-882A99(config)#association-acl-policy demoACL 
rfs4000-882A99(config-assoc-acl-demoACL)#permit 2C-5B-B8-7B-03-9F precedence 1
rfs4000-882A99(config-assoc-acl-demoACL)#deny 00-00-00-00-00-00 FF-FF-FF-FF-FF-FF precedence 1000
rfs4000-882A99(config-assoc-acl-demoACL)#commit write
Please Wait .
[OK]
The above mac association-acl demonstrate that mac address 2C-5B-B8-7B-03-9F as per precedence 1 will be allow to associate while the rest will be denied association.

2. Then map the mac association-acl to the intended wlan:
rfs4000-882A99(config-assoc-acl-demoACL)#..
rfs4000-882A99(config)#wlan JF 
rfs4000-882A99(config-wlan-JF)#use association-acl-policy demoACL 
rfs4000-882A99(config-wlan-JF)#commit write
Please Wait .
[OK]

Troubleshooting
If logging on is configured on AP, you can check wireless client association related event using the below command
AP1#show logging 

Logging module: enabled
    Aggregation time: disabled
    Console logging: level warnings
    Monitor logging: level warnings
    Buffered logging: level debugging
    Syslog logging: level warnings
        Facility: local7

Log Buffer (2516 bytes):


Sep 06 07:43:13 2017: AP1 : %DOT11-6-CLIENT_DISASSOCIATED: Client '2C-5B-B8-7B-03-9F' disassociated from wlan 'JF' radio 'AP1:R1': client initiated (reason code:3) 
Sep 06 07:41:32 2017: AP1 : %DOT11-5-CLIENT_DENIED_ASSOC: Client 'FC-C7-34-B3-B9-19' denied association on radio 'AP1:R1' wlan 'JF': wlan association acl 
Sep 06 07:41:28 2017: AP1 : %DOT11-5-CLIENT_DENIED_ASSOC: Client 'FC-C7-34-B3-B9-19' denied association on radio 'AP1:R1' wlan 'JF': wlan association acl 
Sep 06 07:41:25 2017: AP1 : %DOT11-5-CLIENT_DENIED_ASSOC: Client 'FC-C7-34-B3-B9-19' denied association on radio 'AP1:R1' wlan 'JF': wlan association acl 
Sep 06 07:41:24 2017: AP1 : %DOT11-5-CLIENT_DENIED_ASSOC: Client 'FC-C7-34-B3-B9-19' denied association on radio 'AP1:R1' wlan 'JF': wlan association acl 
Sep 06 07:40:49 2017: AP1 : %DOT11-6-CLIENT_INFO: Client '2C-5B-B8-7B-03-9F' IP address '172.16.1.197', bssid '5C-0E-8B-86-1B-A0' of radio 'AP1:R1' signal-strength -70dBm 
Sep 06 07:40:46 2017: AP1 : %DOT11-6-CLIENT_ASSOCIATED: Client '2C-5B-B8-7B-03-9F' associated to wlan 'JF' ssid 'JF' on radio 'AP1:R1'
Sep 06 07:40:08 2017: AP1 : %SYSTEM-5-LOGIN: Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'

You can notice that only mac address 2C-5B-B8-7B-03-9F is allowed to associate while the one not specified is denied.

 
Additional notes
For GUI configuration version, you may refer to How to create an Association ACL using Wing Web UI

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255