MAC Bind List in cnPilot E400

The MAC bind list allow to restrict  a client to get a specific IP address from AP. But, it can not restrict a client in case of manually configured IP address. Moreover, those client whose MAC address is not listed in Bind list  automatically received dhcp IP address.Hence, an explicit deny action would  restrict this action of assigning IP address to unlisted client device. In that case,any client without entry in MAC bind list will not be able to connect to Wi-Fi either by dhcp IP address or manually configured IP address. 

I go through the options and found ,two restrictions on MAC. In one option, onboard DHCP server IP address can be bound to MAC address of mobile devices. In the other option, MAC association with WLAN can be restricted with authentication policy by deny,permit,radius and cnMaestro options. But I have not tested whether the explicit deny statment works in case of any device apart from permitted MAC address and how.Now, I  want to know whether we can include same deny statement in onboard DHCP server also which will restrict the DHCP users without configuring in WLAN MAC authentication policy. It will be helpful if anyone can share experience who has already done this configuration.

Hi,

  1. Your observations and images shared are absolutely correct.
  2. At present, there is no option to Deny client with onboard DHCP server configured on AP at DHCP state of client.

Just confirmed both features. In case of MAC authentication policy under WLAN, there are four options available as I have mentioned. Any applied authentication policy whether its is permit, deny, radius or cnMaestro always followed by explicit exclusion for the rest without any additional configuration. This impose restriction on joining the Wi-Fi AP. In case of Network , DHCP server option in router mode ,  MAC bind list can be utilized  which ensures same IP address be assgined to a specific user even if it gets IP address from DHCP server each time it connect to Wi-Fi AP. 

I want to achieve the same as you, but I am not so clear because your example not using cnMaestro

INFO:

-cloud cnMaestro

-AP cnPilot e400

GOAL:

1. from WLAN or LAN, DHCP server in AP only give ip to permitted MAC address.

In Mikrotik, I can do that by using MAC IP binding and set DHCP server pool static only

I want to prevent user who know wifi password connected to my ap

QUESTIONS:

1. how to do the same in cnMaestro

tq

Hello nbctcp,

Requirement stated below can be achecived by using cnMaestro MAC Authentication and DHCP server defined on AP. 

Please configure the device as follows:

Please let me know if you have any query.

Thank You.

Do you mean

1. set MacAuthentication to cnMaestro

like below pict

2018-10-09 15_14_35-Window.png

2. create some Access Control List

-1 Permit In MAC Source MAC Address

permit only allowed mac address in incoming direction

-2 Permit In MAC Source MAC Address

-3 Deny In MAC (empty Source or Destination MAC Address)

I mean deny all

2018-10-09 15_20_29-Window.png

  • Step 1 is correct.
  • Step 2 is incorrect. Please do the following:
    • Login to cnMaestro
    • Navigate to below section
    • Add default rule to DENY
    • Add all client MAC address to ALLOW which you wish to connect.

Please let me know if you have any queries.

Thank You.

1 Like

Sorry,I could not able to reply your query. But , hope you got your solution. Please, note there is difference between Association ACL and MAC ACL .The former is used to allow or deny client to associate with the WLAN facility which in general used on wireless network whereas the later one used to restrict access into your system which could be applied on wired or wireless network after association. If i am wrong request admin to correct me.

I have checked this feature on E400 with cnMaestro. I got the desired result if I apply Assiciation MAC ACL and Static MAC binding simultaneously. Association MAC ACL ensure only allowed MAC on the WLAN whereas the Static MAC binding ensure to configure predefined static IP on the allowed MAC only. That's all.

I already follow your steps

1. select cnMaestro in WLAN/Access Control/Mac Authentication

2. Configuration/Association ACL

put all user MAC address

PROBLEMS

1. set Deny for my handphone but I can still be able to be connected

2. I can't sort Association ACL by Description

This causing problem for me too because if my devices has two MACs which first device start with 0 then it will appear in beginning

What I want is sort by description so that all my devices will be grouped together

Please fix

3. my ticket 171805 never updated since 3 days a go

tq

You need to do the following to resolve your issues-

1. You need apply default access as deny which ensures all other MAC except the allowed to be denied.

2. You can add description as per your requirement. In general whenever any ACL is applied you can not alter any line under the ACL. I have experienced on Motorola(now Extreme Networks) system also. There also we could not short on basis of description as each entry has MAC entry number.

     In case of cnMaestro you can export the association ACL in CSV format where you can short based on description.

Hope, Cambium team will be able to highlight on the point number 2 more than me.

I already set Default Access/Deny as well as my handphone MAC address Deny, but I can still connect my handphone

2018-12-19 23_02_18-cnMaestro™ - Opera.png

YOU DON’T NEED TO DENY YOUR MAC SEPARATELY. DEFAULT DENY WILL AUTOMATICALLY DENY ANY MAC WHICH IS NOT LISTED ON THE ACL. PLEASE REMOVE YOUR MAC FROM THE LIST LEAVING THE ALLOWED MAC. EVEN IF YOU LEAVE YOUR WI-FI NETWORK OPEN USER OUTSIDE THE LIST WILL NOT BE ABLE TO ASSOCIATE WITH YOU WLAN.

MOREOVER, IS YOU AP SYNC WITH THE CONTROLLER? OTHERWISE THE ACL WILL NOT BE APPLIED ON THE INCOMING ASSOCIATION REQUEST TO THE AP.

Tried

1. deny my handphone

2. delete my handphone

both make my handphone still can connect

No sync error shown on top right window but I can't see my AP Group name in Sync Configuration

This actually simple task

I don't know why so difficult to achieve

I prefer not to delete user MAC ACL because I want to temporary disable user connect to my wifi.

If I delete then I need to create user MAC manually

If Cambium want to test my cnMaestro, I can share my Cambium ID or email

tq

Please send me a private message and help you with your requirement.

Thank You.

Have you send private message to CAM_TSK Moderator as requested by him?

If you want,  I can take remote of your controller to understand the issue which may be helpful at the end. 

But it is up to you. You can share the same in private message if you willing to take any kind of assistance. 

Moreover, I do believe Cambium Network's support is very swift, strong and effective till date