Acl

The following scenarios show how to configure WLAN-capable devices to use an access control list that only accepts stations with the desired MAC addresses.

../../../_images/wlanacl.svg

Allow List

Description

In this example, a WLAN interface will be created on top of the 2.4GHz radio module in access-point mode. Then, an access control list will be used to decide which station can connect to the device.

Scenario

Step 1: Run command configure at DUT0 and expect this output: Step 2: Run command delete interfaces wlan at DUT0 and expect this output:

Show output
Nothing to delete (the specified node does not exist)

Step 3: Run command delete controllers wlan at DUT0 and expect this output:

Show output
Nothing to delete (the specified node does not exist)

Step 4: Run command commit at DUT0 and expect this output: Step 5: Set the following configuration in DUT0:

set controllers wlan radios wifi1 band 2.4GHz
set controllers wlan radios wifi1 channel 1
set interfaces bridge br0
set interfaces wlan wlan4 bridge-group bridge br0
set interfaces wlan wlan4 phy wifi1
set interfaces wlan wlan4 type access-point security akm none
set interfaces wlan wlan4 type access-point ssid network_2.4GHz
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Note

By default, when no access list is defined, all stations with the appropiate credentials will be able to connect to the device.

Step 6: Configure the MON device to connect to network_2.4GHz using the following configuration:

set controllers wlan installation indoor
set controllers wlan radios wifi0 bandwidth 20MHz
set interfaces wlan wlan0 phy wifi0
set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f1
set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz
set system wlan log-level configuration debug
set interfaces wlan wlan0 address 192.168.100.10/24
set interfaces wlan wlan0 type station network 1 security akm none

Step 7: Get the MAC address of the wlan0 interface:

admin@MON$ interfaces wlan wlan0 show detailed
Show output
--------------------------------------------------------------------------------------------------------------
Name   Idx            IP Address           Admin  Oper  Link  MTU   Vrf  Upper  Lower  Type      Phys addr
--------------------------------------------------------------------------------------------------------------
wlan0  3924  192.168.100.10/24             up     up    up    1500                     wlan  22:a0:f9:6e:e1:a0
             fe80::20a0:f9ff:fe6e:e1a0/64

Step 8: Modify the following configuration lines in DUT0:

set interfaces wlan wlan4 type access-point mac-filter allow-mac '22:a0:f9:6e:e1:a0'

Note

When the allow-mac command is used, only the stations with the defined MAC addresses will be able to connect to the access point (regardless of credentials).

Step 9: Set the following configuration in DUT0:

set controllers wlan radios wifi1 band 2.4GHz
set controllers wlan radios wifi1 channel 1
set interfaces bridge br0 address 192.168.100.1/24
set interfaces wlan wlan4 bridge-group bridge br0
set interfaces wlan wlan4 phy wifi1
set interfaces wlan wlan4 type access-point mac-filter allow-mac '22:a0:f9:6e:e1:a0'
set interfaces wlan wlan4 type access-point security akm none
set interfaces wlan wlan4 type access-point ssid network_2.4GHz
set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'

Step 10: Configure the MON device to connect to network_2.4GHz using the following configuration:

set controllers wlan installation indoor
set controllers wlan radios wifi0 bandwidth 20MHz
set interfaces wlan wlan0 phy wifi0
set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f1
set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz
set system wlan log-level configuration debug
set interfaces wlan wlan0 address 192.168.100.10/24
set interfaces wlan wlan0 type station network 1 security akm none

Step 11: Ping IP address 192.168.100.1 from MON:

admin@MON$ ping 192.168.100.1 count 2 size 56 timeout 1
Show output
PING 192.168.100.1 (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=11.4 ms
64 bytes from 192.168.100.1: icmp_seq=2 ttl=64 time=6.82 ms

--- 192.168.100.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 6.820/9.099/11.379/2.281 ms

Step 12: Run command configure at DUT0 and expect this output: Step 13: Run command delete interfaces bridge br0 address 192.168.100.1/24 at DUT0 and expect this output: Step 14: Run command set interfaces bridge br0 at DUT0 and expect this output: Step 15: Run command commit at DUT0 and expect this output: Step 16: Modify the following configuration lines in DUT0:

delete interfaces wlan wlan4 type access-point mac-filter allow-mac '22:a0:f9:6e:e1:a0'
set interfaces wlan wlan4 type access-point mac-filter allow-mac '5A:5B:46:A7:89:0C'

Note

Configuring the invalid 5A:5B:46:A7:89:0C MAC address will prevent MON from connecting to DUT0

Step 17: Expect a failure in the following command: Configure the MON device to connect to network_2.4GHz using the following configuration:

set controllers wlan installation indoor
set controllers wlan radios wifi0 bandwidth 20MHz
set interfaces wlan wlan0 phy wifi0
set interfaces wlan wlan0 type station network 1 bssid 12:68:38:c7:21:f1
set interfaces wlan wlan0 type station network 1 ssid network_2.4GHz
set system wlan log-level configuration debug
set interfaces wlan wlan0 address 192.168.100.10/24
set interfaces wlan wlan0 type station network 1 security akm none