★ V7 AC black and white list function based on SSID or AP

1. Configuration requirements and instructions

1.1 Applicable product series:

Wireless controllers from V7 platform after version 54xx, including: WX18H, WX28H, WX38H, WX58H series AC.

1.2 Configuration Requirements and Implementation Effects:

• V7 platform before the 54xx version can be implemented to restrict access to the SSID to certain mac clients by doing mac authentication against the SSID, but cannot restrict access to the SSID from certain mac addresses.
• V7 platform after the 54xx version can be implemented to restrict some mac addresses from accessing the internet by calling layer 2 ACL under the service template view or AP view.

2. Network Topology

1. CLI Mode

1.1 Create a Layer 2 ACL 4000 to allow access only to clients with MAC address 0000-0000-0001

<H3C>system-view

[H3C]acl mac 4000

[H3C-acl-mac-4000] rule 0 permit source-mac 0000-0000-0001 ffff-ffff-ffff

[H3C-acl-mac-4000] rule 2 deny

[H3C-acl-mac-4000] quit

1.2 Create a Layer 2 ACL 4001 to deny access only to clients with MAC address 0000-0000-0002

[H3C]acl mac 4001

[H3C-acl-mac-4000] rule 0 deny source-mac 0000-0000-0002 ffff-ffff-ffff

[H3C-acl-mac-4000] rule 2 permit

[H3C-acl-mac-4000] quit

1.3 Call the ACL 4000 in the wireless service template or AP view

Method 1: Called under the service template 

[H3C] wlan service-template 1

[H3C-wlan-st-1] access-control acl 4000

[H3C-wlan-st-1]quit

Method 2: Called under AP view

[H3C] wlan ap 1

[H3C-wlan-ap-1] access-control acl 4000

[H3C-wlan-ap-1]quit

2. WEB Mode // WEB page paths may differ between versions

2.1 Create a Layer 2 ACL 4000 to allow access only to clients with MAC address 0000-0000-0001

#Click on "System" > "Resource" > "Layer 2 ACL" in the page navigation bar and click on the "plus" button to create a Layer 2 ACL 4000.

# Create a rule for ACL 4000, start adding the rule and click "Apply".

# Create two rules in the ACL4000, the first rule number is 0, you can choose to auto-numbered, match criteria select "source MAC address/mask", add the source MAC is 0000-0000-0001, the mask is all F clients, select "continue to add next rule", click "Apply".

#After all the MAC addresses that need to be put through have been added, finally create a rule to deny all of the others, and write the rule number as large as possible (to prevent the subsequent need to add new MAC addresses of access terminals), write 1000 in the following case, adjust it according to the number of access terminals in your own network, select "deny" for the action, cancel the tick of "Continue to add next rule", and click "Apply".

2.2 Call the ACL 4000 in the wireless service template

#Click "Wireless Configuration" > "Wireless Network" on the left navigation bar, click the "Edit" button on the right side of the page, select "Access Control", call the previously configured Layer 2 ACL number "4000", and click "Apply".

2.3 Save Configuration

2.4 Add new MAC address of the access client

# Click on the "plus" button on the left to continue adding rules

#Uncheck "Auto-numbered" for the rule number and add the number manually, note: it should be smaller than the last rejected rule number; uncheck "Continue to add next rule" and click "Apply" to finish.

1. The priority of ACL-based access control is higher than the priority of list-based access control, and it is recommended that the two types of access control be used separately. If two types of access control are configured at the same time, when no wireless client access control rules are configured on the device, the access control rules for wireless clients will be controlled in accordance with the list-based access control rules. 

2. When configuring deny rule in ACL to deny access to specified clients, please configure permit rule after deny rule to allow all clients to access, otherwise it will result in all clients not being able to access. 

3. The priority of the configuration in AP view is higher than the configuration in wireless service template view. 

4. ACL-based access control only matches source mac address layer 2 ACL rules.