MAC Access Control List / Authentication

MAC Authentication is a feature supported by cnPilot™ ePMP1000 Hotspot/E400/E500 Wi-Fi products. MAC authentication is a mechanism to authorize wireless station that tries to associate Access Point [AP].

Following options are supported by MAC Authentication:

• Permit
  • If this option is selected,
    • Wireless station MAC addresses listed will be allowed to associate to AP. Following is the screenshot of wireless frames exchanged between AP and wireless station:

PERMIT-SUCCESS.jpg1166×267 96 KB

• Wireless station MAC address that are not listed will be de-authenticated from AP. Wireless station entries that are disassociated or de-authenticated due to MAC Access Control List [ACL] or MAC authentication is displayed in UI under Troubleshoot -> Unconnected Clients section. Following is the screenshot of wireless frames exchanged between AP and wireless station:

PERMIT-FAIL.jpg1153×276 110 KB

•  Deny
  • This option is set as default. It allows all wireless stations to associate to AP.
  • When user configures a MAC Address, those wireless station shall be denied to associate and the non-listed MAC address will be allowed.

DENY-SUCCESS.jpg1153×276 110 KB

• Radius
  • Wireless station MAC is authenticated using RADIUS server. If denied, AP transmits disassociation or de-authentication frame to wireless station with reason code 0x01.
  • User can select the MAC address format that needs to be communicated with RADIUS server. Following parameters are available to user to select MAC address format:
    • Delimiter
      • By default, no delimiter is used by AP.
      • User can select supported delimiter as configured on RADIUS server.
      • We support both ": colon" and "- hyphen" as delimiters 
    • Upper Case
      • This is disabled by default.
      • If selected, AP transmits upper case letter.
    • Password
      • By default, this is selected and AP sends MAC address as username/password to RADIUS server.

Note:

• Customer should update USERS file in radius server with wireless station MAC address account.

If a wireless station is denied due to MAC ACL or Authentication, it is displayed under Troubleshoot -> Unconnected Clients with Message as “Denied due to MAC ACL”

Configuration Steps

• Navigate to Configuration -> WLAN -> Access
• Select MAC Authentication Policy
  • Permit
    • Enter the MAC address separated by “: colon” or “- hyphen“.
    • User Upper Case or Lower Case letters of wireless station MAC address based on RADIUS server configuration

PERMIT-CONF.jpg1571×533 48.9 KB

• Deny
  • Enter the MAC address separated by “: colon” or “- hyphen“.
  • User Upper Case or Lower Case letters of wireless station MAC address based on RADIUS server configuration

DENY-CONF.jpg1585×533 47.4 KB

• RADIUS
  • Select the de-limiter as configured in RADIUS server. If de-limiter is not chosen, ap sends the user/pass without any delimiter.  AP can support “: colon” and “- hyphen“ as delimiters. 
  • By default, PASSWORD is selected, which indicates that AP sends station MAC address as Username & Password to radius server

RADIUS-CONF.jpg1559×189 23.3 KB

• Save the configuration