ACL on IOS AP
It’s possible to no only have authentication on your AP, but also some kind of filters (ACL’s) to have a more secured environment.
There are different kind of ACL’s :
Standard : Standard ACL do have a number from 1 to 99.
access-list 10 deny host 10.10.10.10
! Deny host 10.10.10.10 to access the network completely.
access-list 10 permit any
! The rest of the devices may connect.
int dot11Radio 0
ip access-group 10 in
! The access-list should be connected to an interface. This can be inbound or outbound.
You can also name an access-list :
ip access-list standard LAB
deny host 10.10.10.10
And bind this Access-list to the interface. (In or outbound.)
There are also Extended-Access lists :
Extended : They are numbered from 100 – 199 and you can control it on port level
access-list 101 permit tcp any any eq telnet
access-list 101 deny ip any any
access-list 101 permit tcp host 10.10.10.10 any eq www
This access list is NOT going to work. Noticed the deny ip any any rule before the permit www.
MAC Based : Use the range 700 – 799.
access-list 700 permit 0000.1111.2222 0000.0000.0000
! The 0000.0000.0000 is the “wildmask”
To use this access-list you can globally use the command.
dot11 association mac-list 700
or bind it to an subinterface : (Radio and/or FastEthernet)
bridge-group 1 input-address-list 701
All of there ACL’s can be TimeBased :
First you define the time between the ACL is active :
periodic weekdays 6:00 to 23:00
periodic Sunday 7:00 to 22:00
And you add this to the ACL :
access-list 101 per tcp any any eq telnet time-range LABTIME