Acl

The following scenarios show how to configure WLAN-capable devices to use an access control list that only accepts stations with the desired MAC addresses.

../../../_images/wlanacl.svg

Allow List

Description

In this example, a WLAN interface will be created on top of the 2.4GHz radio module in access-point mode. Then, an access control list will be used to decide which station can connect to the device.

Scenario

Step 1: Run command configure at DUT0 and expect this output: Step 2: Run command delete interfaces wlan at DUT0 and expect this output:

Show output
Nothing to delete (the specified node does not exist)

Step 3: Run command delete controllers wlan at DUT0 and expect this output:

Show output
Nothing to delete (the specified node does not exist)

Step 4: Run command commit at DUT0 and expect this output: Step 5: Set the following configuration in DUT0:

set controllers wlan radios wifi1 band 2.4GHz
set controllers wlan radios wifi1 channel 1
set interfaces bridge br0
set interfaces wlan wlan4 bridge-group bridge br0
set interfaces wlan wlan4 phy wifi1
set interfaces wlan wlan4 type access-point security akm none
set interfaces wlan wlan4 type access-point ssid network_2.4GHz
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

By default, when no access list is defined, all stations with the appropiate credentials will be able to connect to the device.

Step 6: Configure the MON device to connect to network_2.4GHz using the following configuration:

set controllers wlan installation indoor
set controllers wlan radios wifi0 bandwidth 20MHz
set interfaces wlan wlan0 phy wifi0
set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c6:f4:7c
set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz
set system wlan log-level configuration debug
set interfaces wlan wlan0 address 192.168.100.10/24
set interfaces wlan wlan0 type station network 1 security akm none

Step 7: Get the MAC address of the wlan0 interface:

admin@MON$ interfaces wlan wlan0 show detailed
Show output
--------------------------------------------------------------------------------------------------------------
Name   Idx            IP Address           Admin  Oper  Link  MTU   Vrf  Upper  Lower  Type      Phys addr
--------------------------------------------------------------------------------------------------------------
wlan0  2733  192.168.100.10/24             up     up    up    1500                     wlan  a2:a0:f9:6e:e1:b0
             fe80::a0a0:f9ff:fe6e:e1b0/64

Step 8: Modify the following configuration lines in DUT0:

set interfaces wlan wlan4 type access-point mac-filter allow-mac 'a2:a0:f9:6e:e1:b0'

Note

When the allow-mac command is used, only the stations with the defined MAC addresses will be able to connect to the access point (regardless of credentials).

Step 9: Set the following configuration in DUT0:

set controllers wlan radios wifi1 band 2.4GHz
set controllers wlan radios wifi1 channel 1
set interfaces bridge br0 address 192.168.100.1/24
set interfaces wlan wlan4 bridge-group bridge br0
set interfaces wlan wlan4 phy wifi1
set interfaces wlan wlan4 type access-point mac-filter allow-mac 'a2:a0:f9:6e:e1:b0'
set interfaces wlan wlan4 type access-point security akm none
set interfaces wlan wlan4 type access-point ssid network_2.4GHz
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Configure the MON device to connect to network_2.4GHz using the following configuration:

set controllers wlan installation indoor
set controllers wlan radios wifi0 bandwidth 20MHz
set interfaces wlan wlan0 phy wifi0
set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c6:f4:7c
set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz
set system wlan log-level configuration debug
set interfaces wlan wlan0 address 192.168.100.10/24
set interfaces wlan wlan0 type station network 1 security akm none

Step 11: Ping IP address 192.168.100.1 from MON:

admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=10.2 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=7.05 ms

--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 7.054/8.644/10.234/1.590 ms

Step 12: Run command configure at DUT0 and expect this output: Step 13: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output: Step 14: Run command set interfaces bridge br0 at DUT0 and expect this output: Step 15: Run command commit at DUT0 and expect this output: Step 16: Modify the following configuration lines in DUT0:

delete interfaces wlan wlan4 type access-point mac-filter allow-mac 'a2:a0:f9:6e:e1:b0'
set interfaces wlan wlan4 type access-point mac-filter allow-mac '5A:5B:46:A7:89:0C'

Note

Configuring the invalid 5A:5B:46:A7:89:0C MAC address will prevent MON from connecting to DUT0

Step 17: Expect a failure in the following command: Configure the MON device to connect to network_2.4GHz using the following configuration:

set controllers wlan installation indoor
set controllers wlan radios wifi0 bandwidth 20MHz
set interfaces wlan wlan0 phy wifi0
set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c6:f4:7c
set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz
set system wlan log-level configuration debug
set interfaces wlan wlan0 address 192.168.100.10/24
set interfaces wlan wlan0 type station network 1 security akm none