Acl
The following scenarios show how to configure WLAN capable devices to use an access control list to only accept stations with the desired MAC addresses.
Allow List
Description
In this example, a WLAN interface will be created on top of the 2.4GHz
radio module in access-point mode. Then, an access control list
will be used to decide which station can connect to the device.
Scenario
Step 1: Set the following configuration in DUT0:
set controllers wlan radios wifi1 band 2.4GHz set controllers wlan radios wifi1 channel 1 set interfaces bridge br0 set interfaces wlan wlan4 bridge-group bridge br0 set interfaces wlan wlan4 phy wifi1 set interfaces wlan wlan4 type access-point security akm none set interfaces wlan wlan4 type access-point ssid network_2.4GHz
Note
By default, when no access list is defined, all stations with the appropiate credentials will be able to connect to the device.
Step 2: Configure the MON device to connect to network_2.4GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi0 bandwidth 20MHz set interfaces wlan wlan0 phy wifi0 set interfaces wlan wlan0 type station network 1 bssid 52:5a:65:42:f9:89 set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm none
Step 3: Get the MAC address of the wlan0 interface:
admin@MON$ interfaces wlan wlan0 show detailedShow output
-------------------------------------------------------------------------------------------------------------- Name Idx IP Address Admin Oper Link MTU Vrf Upper Lower Type Phys addr -------------------------------------------------------------------------------------------------------------- wlan0 8080 192.168.100.10/24 up up up 1500 wlan 82:a0:f9:6e:bb:90 fe80::80a0:f9ff:fe6e:bb90/64
Step 4: Set the following configuration in DUT0:
set interfaces wlan wlan4 type access-point mac-filter allow-mac 82:a0:f9:6e:bb:90
Note
When the allow-mac command is used, only the stations with the defined MAC
addresses will be able to connect to the access point regardless of the credentials.
Step 5: Set the following configuration in DUT0:
set interfaces bridge br0 address 192.168.100.1/24
Step 6: Configure the MON device to connect to network_2.4GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi0 bandwidth 20MHz set interfaces wlan wlan0 phy wifi0 set interfaces wlan wlan0 type station network 1 bssid 52:5a:65:42:f9:89 set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm none
Step 7: Ping IP address 192.168.100.1 from MON:
admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=11.7 ms 64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=18.3 ms --- 192.168.100.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 3ms rtt min/avg/max/mdev = 11.701/14.999/18.297/3.298 ms
Step 8: Set the following configuration in DUT0:
delete interfaces wlan wlan4 type access-point mac-filter allow-mac 82:a0:f9:6e:bb:90 set interfaces wlan wlan4 type access-point mac-filter allow-mac 5A:5B:46:A7:89:0C
Note
Configuring the invalid MAC address 5A:5B:46:A7:89:0C will avoid MON to connect to DUT0
Step 9: Expect a failure in the following command:
Configure the MON device to connect to network_2.4GHz using the following configuration:
set controllers wlan installation indoor set controllers wlan radios wifi0 bandwidth 20MHz set interfaces wlan wlan0 phy wifi0 set interfaces wlan wlan0 type station network 1 bssid 52:5a:65:42:f9:89 set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz set system wlan log-level configuration debug set interfaces wlan wlan0 address 192.168.100.10/24 set interfaces wlan wlan0 type station network 1 security akm none