The station rules define which WLAN clients can associate with the WLAN networks of the APs that are centrally managed by the WLC. Furthermore, the method offers a convenient way to give each WLAN client an individual authentication passphrase and a VLAN ID.
To use the station rules, it is imperative that the RADIUS server is activated in the WLC under RADIUS.
. As an alternative, requests can be forwarded to another RADIUS server. More information on RADIUS is available underFor every logical WLAN in which WLAN clients are authenticated by RADIUS, the MAC check has to be activated.
- MAC address
-
MAC address of the WLAN client for this entry. The following entries are possible:
- Individual MAC address
- A MAC address in the format 00a057112233, 00-a0-57-11-22-33 or 00:a0:57:11:22:33.
- Wildcards
- The wildcards '*' and '?' uses to specify MAC address ranges, e.g. 00a057*, 00-a0-57-11-??-?? or 00:a0:??:11:*.
- Vendor ID
- The device contains a list of the major manufacturer OUIs (organizationally unique identifier). The MAC address range is valid if this entry matches the first three bytes of the MAC address of the WLAN client.
Note: It is possible to use wildcards.
- SSID pattern
- WLAN clients with the corresponding MAC addresses have access that is limited to this SSID.
Note: The use of wildcards makes it possible to allow access to multiple SSIDs.
- Name
- You can enter any name you wish and a comment for any WLAN client. This enables you to assign MAC addresses more easily to specific stations or users.
- Passphrase
- Here you may enter a separate passphrase for each physical address (MAC address) that is used in a 802.11i/WPA/AES-PSK-secured network. If no separate passphrase is specified for this MAC address, the passphrases stored in the 802.11i/WEP area will be used for each logical wireless LAN network.
- TX bandwidth limit
- Transmission-bandwidth restriction for WLAN clients currently authenticating themselves. A WLAN device in client mode communicates its setting to the AP when logging on. This then uses uses these two values to set the minimum bandwidth.
- RX bandwidth limit
- Reception-bandwidth restriction for WLAN clients currently authenticating themselves. A WLAN device in client mode communicates its setting to the AP when logging on. This then uses uses these two values to set the minimum bandwidth.
Note: The RX bandwidth restriction is only active for WLAN devices in client mode. For value is not used by normal WLAN clients.
- Comment
- You can enter a comment here.
- VLAN-ID
- The ID of the VLAN that this client belongs to. Consequently the client can only be reached by packets originating from the same VLAN. Packets sent by the client are marked with this VLAN ID. You only need to set this value if you want this client to belong to a different VLAN than the logical WLAN (SSID) that it is connected to. Valid VLAN IDs are in the range 0 to 4094. 0 means that the client belongs to the VLAN of its logical WLAN (SSID), if this belongs to a VLAN at all.
Important: If you use IPv6, or if multicast is operating on a VLAN, different group keys must be assigned to the different VLANs of an SSID. Otherwise the different multicasts are not be assigned to the correct clients. When using IPv6, for example, clients are informed of IPv6 prefixes that do not function on the VLAN ID. The group keys are configured under .
If filter rules contradict, the individual rule has a higher priority: A rule without wildcards in the MAC address or SSID takes precedence over a rule with wildcards. When creating these entries, the user should ensure that filter rules do not contradict. The definitions in the filters can be checked in a Telnet session with the trace command trace WLAN-ACL.