WLC - block MAC Address
Wireless system with 3 x WLC-4402, version 6.0.199.4, about 100 AP, about 300 clients.
I need to block some clients that are bombarding me with frequent and repeated "Signature attack" (Auth flood).
I tried to put the MAC Address in the black-list (Disabled Client), but it seams non work.
Other suggestion ?
Claudio
If its an authentication issue, then you can enable client exclusion on the WLAN also. 3 failures will automatically put them in the exculsion list. Not that I like pgrading, but the latest versions of 7.0.x are pretty good, but you need to make sure your AP's support that code. 6.x is pretty old.
http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Similar Messages
-
How to connect to a network that has blocked Mac addresses?
My school has blocked Mac addresses how do I get around this?
lllaass already answered, and JakeStebbings provided as helpful a suggestion as possible.
You might as well mark your own response as "answered" and move on:
That's impossible. -
What good is it to have a router that doesn't block mac addresses like its supposed too!!!
what good is it to have a router that doesn't block mac addresses like its supposed too!!!
At 10:30pm I think I'd like to talk this out....Lemme give you some more details and lets get some hardware programmers involved. I think this is a cross-platform conflict or at the remote a outdated hardware problem. What do you need from me to track this issue down? I have been patient and have waited over 1yr or maybe 2, waiting for an update to correct this issue. Alas, there has been no solution to this problem. I have 13 seperate MAC addy's on the network. 1 wired and the the rest wireless(some constant, others random). All on a schedule(some timed access, some all the time). I have macBooks, Labtops, Desktops, Ipads, Ipods, DSIs, Windows7, WindowsXP Pro, PS3, AppleTV and a few random BlueTooths. Not that much.
Anyways, I think somehow there is a hole because of cross-platfom compatability that is making my daughter able to get on the net unless I change the wireless password......
No I have no proof...It's just a feeling -
How to block mac address in 2800 router
sir
how to block mac addresses in cisco 2800 routerHi,
To block mac addresses you can simply create Mac based ACLs which ranges between
700 to 799
Example:
access-list 700 deny xxxx.xxxx.xxxx.xxxx
access-list 700 permit yyyy.yyyy.yyyy.yyyy
now you can apply it on interface:
int f0/0
access-group 700 in
exit
Regards,
Rahul Chhabra
Network Engineer
Spooster IT Services -
RV016: PPTP Server and "Block MAC address"
So if the PPTP server is enabled, and "Block MAC address not on the list" is enabled under the DHCP settings, will the PPTP client get an IP address?
Similarly, if the PPTP server is enabled and the range of IP addresses configured on the PPTP server screen is outside the IP range of the router due to a subnet mask (like 255.255.225.248 for example), will the IP still be assigned to the PPTP client? If assigned, will that IP have any connectivity to the LAN?
Thank you in advance for any answers!
Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.comSo here's how PPTP works with these two features:
1. The PPTP IP range is a different range than the DHCP range. You get an error message if your PPTP IP range overlaps with the DHCP one.
I didn't test the 'Block MAC' function because since the IP isn't coming from the DHCP pool, I highly doubt any MAC blocking will work.
2. Since your PPTP IP address range is outside of the DHCP range, this point is completely taken off the table. However, if you choose an IP range that's outside of the subnet, you'll get an error message when saving. I also learned that if you set the PPTP IP to just a single number and connect, the router will automatically reject any additional connections since no IPs are available.
Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com -
Cisco WLC Client MAC address backup to new Controller & ISE
Hi All,
We have an existing 4400 controller with MAC filtering for clients configured. Right Now, we are migrating to 5500 WLC and ISE setup.
We want to use MAC filtering due to company policies on the new Controller as well as ISE.
Is there a way (from GUI/CLI) that we can export the client MAC Addresses into an Excel file from existing WLC to new WLC & ISE?
Thanks,
CJOn the CLI issue a show macfilter summary and then import that into excel or a text editor.
Sent from Cisco Technical Support iPhone App -
Blocking MAC-Address on Cisco Router
Can anyone tell me how to block a particular mac-address on cisco router 2900 series? There are few pc's in the network which i dont want to get them into the network anyhow. Can anyone help me out with this?
Regards,
AbhishekWith your problem-description
There are few pc's in the network which i dont want to get them into the network anyhow
the strategy of using the router to block them is the wrong way because the PCs are already on the network and the blocking has to be done at the entry-points which are the switches.
But if you want to stop them leaving your network on the router by filtering the MAC, you could also use modified QoS-mechanisms:
class-map match-any UNWANTED-PCs
match source-address mac AAAA.BBBB.CCCC
match source-address mac DDDD.EEEE.FFFF
policy-map IN-POLICY
class UNWANTED-PCs
drop
int GigabitEthernet0/0
description LAN-Interface
service-policy input IN-POLICY
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni -
Hi all,
we are using wlc 2106-k9 controller, with mac based authetication for cilents. After few days mac-address database automatically deleted few mac-address. this is not first time it happen twice. we have entered totally 60 mac-address only . It has IOS AIR-WLC2100-K9-7-0-98-218.aes.
Thanks in advance.I had the same problem yesterday and after many hours searching the web I ended up with this post that made me really desperate... But I didn't give up and while trying a new bios flash because of random crashes when in the bios, I noticed the obvious: you can change the MAC address when flashing
use the last version of the dos flasher with the parameters /nvmac:xxxxxxxxxxxx/wb after the name of the bios file; it's explained if you ask the help with the /help parameter. You can find the mac address on a stick on the parallel port. -
I have my airport set to only allow certain MAC addresses to have access to my network. However, the person I am trying to restrict access to has figured out how to reset the settings using the reset hole and gain access to the network. Is there any other way that I have to block access to the network if the airport is reset?
The only way to prevent this is to prevent physical access to the base station.
Nothing you configure will work, if the person can physically reset the base station to its default settings.
iFelix -
Cisco WLC username/mac address
Hi
Im are having problems with editing the User Field in the WCS. The purpose was to enable the ease to identify clients on the wireless network through their names rather than through MAC addresses which are currently the only method of authentication.
would appreciate it anyone could guide me in any form necessary in providing us to edit these details.Just curious as to whether or not you figured out how to make this work. I would also like to get that set up.
-
Block internet access by MAC address all the time
I want to be able to block MAC addresses from accessing the internet but allow them to use the network.
I can do this in other router interfaces but the BT Home Hub 2.0 has a VERY un user friendly interface and will not allow advanced internet access or other settings to be modifyed to suit my needs.
I am at an intermediate level at understanding network equipment and an expert at residential networking.Not sure about the home hub 2, but on the home hub 1 you can use a "user defined" firewall setting to block access to a computer by specifying its IP address.
Source LAN
Interface 192.168.1.xxx (address you wish to block)
Destination WAN
Service ANY
Action Deny
You can tell the home hub to always use this IP address for the device you are trying to block.
There is probably a similar setting on the home hub 2.
By default I block all Internet access for devices, then I have rules to allow HTTP, HTTPS, POP3 and a couple of others.
I also have UpnP disabled.
This prevents any computer on the network accessing any non-standard ports.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
This hotspot is advertised on multiple sites to have MAC address filtering which is why we purchased in the first place, yet the administration panel only shows that the device is only capable of blocking MAC addresses as opposed to creating an access list with specifically white-listed devices. I am looked have scoured all the options on the administration panel and yet I am unable to find an option to allow us to do this. Has anyone found work around for this?
This sounds more like an HR/management issue than an IT issue. If your employees are abusing your technology policies then that is none of ITs concern. Educate your users on how to properly use the devices that you provide them and inform them on the consequences on failing to comply with your policy. If you don't have a policy in place that covers data overages then now would be a good time to get one.
I support around 200 VZW jetpacks for many employees across the nation. We do not have any kind of MAC filtering in place to try and whitelist our corporate devices and restrict usage. Instead we have a policy that we make clear to our employees as soon as they receive the device. Coincidentally we do not have any issues with data overages either. Its simple, break the policy and risk the corresponding punishments accordingly. You will have many fewer headaches managing a single BYOD policy than many individual whitelists and MAC addresses.
The first rule in your policy should be something along the lines of additional overages will be charged back to the employee or the employees account. Then you let the employee or his manager deal with the costs of their data habits accordingly and stay out of it completely. Most people are not going to be OK with eating data overages for very long and will learn to curb their habits or find a different way to meet their personal needs. -
WLC - How to block a single client MAC address?
Hi Sir,
On a WLC (software version 4.1.185.0), how to block a single client MAC address?
I thought of using the SECURITY -> Disabled Clients. Is it right?
There are currently 250 users connected to the WLC. MAC Filtering is not a scalable solution because as I understand it, we have to specify all the legitimate MAC addresses in the local database.
Thank you.
B.Rgds,
Lim TSHi Lim,
As you have discovered, the Mac filtering on the WLC is an Allow (based on Mac address) rather than what you need which is a Deny (based on Mac address). I have not tried this feature but I think you are on the right track in using the Exclusion List (Blacklist) feature. Have a look;
Use SECURITY > AAA > Disabled Client then click New or MONITOR > Clients then click Disable to navigate to this page.
This page allows you to manually Exclusion List (blacklist) a client by MAC address.
Add the MAC Address and an optional Client Description for the client to be disabled.
Note When you enter a client MAC address to be disabled, the Operating System checks that the MAC address is not one of the known Local Net clients ( Local Net Users), Authorized clients ( MAC Filtering), or Local Management users ( Local Management Users) MAC addresses. If the entered MAC address is on one of these three lists, the Operating System does not allow the MAC address to be manually disabled.
Hope this helps! Let us know.
Rob -
Blocking of complete Vendor MAC Address
Hi All,
is it possible to Block or Disable a complete Vendor MAC - like Apple 7c:6d:62:x:x:x - with using Wildcards on a Wireless LAN Controller? Background is, that the Customers IT-Department is only allowing the use of one Vendor, so every MAC Address of another Vendor is rogue. If Blocking is not possible on WLC, can i do this on ACS?
Thx in adv, MichaelHi
if you create a NAR entry on ACS, you can use callerID information (DNIS) which will have the mac address.
then on ACS, it will support wildcards for all or part of each of the attributes:
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/c.html#wp697209
so, it should be posible to be done on WLC, if you move the validation into ACS itself.
Regards -
ISP blocks my APBS due to various MAC addresses used by the router
Hi all,
My Internet provider limits access to Internet over Ethernet cable
for fixed MAC address(s). That means, I have to inform ISP of the
only MAC address I'll use to transfer data. In the case ISP detects
traffic with other MAC addresses on my cable, he blocks any traffic
at all (until cable unplugged and kind of 30secs are waited).
My configuration is APBS GigaN with "shared public IP" and with
MacBookPro connected over embedded WiFi AirPort N card.
I reported EthernetID of my APBS to ISP, but stuck into the problem
that all the time router is blocked. It successfully receives
IP settings from DHCP of provider, and then passes nothing in/out.
The provider said he can see the packets with different MAC addresses,
as I understood these MACs are exactly AirportID and EthernetID of
APBS. Why is it happening so, when "shared public IP" with DHCP
and NAT are selected? Why MAC address of wireless card of APBS is
visible to outside? What can I do with it, supposing that provider
can't fix the case on his side?
Regards,
Strimkevj is right, Your linksys router has 3 MAC address and they all are assocciated with each other.
Maybe you are looking for
-
Creation of a normal user without admin rights
Hi, I am new to oracle apex. Can you please let me know how to create a normal user without admin rights in oracle apex application. Thanks & Regards, venkat Edited by: 866673 on Jun 17, 2011 9:53 AM
-
BIG full inventory cycle count
Hi Experts, We have a BIG inventory coming up in a month and it seems that no one knows how to create a CC for all the parts in our inventory... we need to count everything in stock and record it in SAP. as of now MI31 will not work... because the AB
-
Java.lang.ClassCastException in WD Components
Hi evebody, I facing with a very stranger situation in my WD Component. I have two components, A and B. The component B uses some methods of the Component A, but when I invoke these methods I getting the following exception: java.lang.ClassCastExc
-
Right now, it seems as if it is still showing in System Profiler, then the unnecessary BlackBerry software I downloaded from the internet is still using memory, right? How do I permanently delete it?
-
I am using a TransferHandler to handle drag and drop events in my application. I've extended the default TransferHandler to support different data flavors. My only problem is that I need to know the location within my custom component where a drop ta