LANCOM Support Knowledgebase Document No. 1509.1414.0444.RHOO - V2.30

New features and functionality for the station rules table


As of LCOS version 9.10, it is possible to specify wildcards (* and?) within MAC addresses in the WLAN station table. Names of manufacturers can be entered (for example, Samsung), and access from Wi-Fi clients to can be restricted to default SSIDs.


How the new function works:

In order for the station rules table to be processed correctly when operating a WLAN controller, the RADIUS server needs to be enabled on the device. To ensure this, enable the RADIUS authentication.

Make sure that the "MAC filter enabled" option is enabled in the SSID configuration.

The station rules table is accessed on LANCOM access points & WLAN routers under the menu Wireless LAN -> Stations -> Station rules and on LANCOM WLAN controllers under the menu WLAN controller -> Stations -> Station rules.

All of the rules in the station table are processed in sequence and without exception. Rules without any wildcards in the SSID or MAC address field have a higher priority than those containing wildcards for the assignment of parameters to a WLAN client, such as VLAN ID, passphrase, etc.

A WLAN client is given access if any one rule matches, be it with or without wildcards.

It is not possible to specify an explicit rule that denies access for certain WLAN clients to specific SSIDs, although this can be achieved by using an additional, more general rule.

In this case, a rule is defined that initially gives all of the WLAN clients access to one particular SSID; the following rules then permit access to the other SSIDs only for the desired WLAN clients.

If you want to share all the devices from one manufacturer, you can also enter the name of the manufacturer in the MAC address pattern field. All LANCOM devices contain a list of common OUIs and the associated provider.


In this WLAN scenario, access for the WLAN client with the MAC address 00:a0:57:44:55:66 should be allowed to use the SSID Public only, i.e. it should be excluded from the other SSIDs.

This would not work by using two rules in sequence as in the following example:

    MAC address: 00:a0:57:*, SSID: *
    MAC address: 00:a0:57:44:55:66, SSID: Public

This set of rules does not restrict the MAC address 00:a0:57:44:55:66 to the SSID Public, because the first rule provides a match for the MAC address 00:a0:57:44:55:66, and this rule grants access to all of the SSIDs. A more specific rule does not place a restriction on more general rules. At best it overrides parameters that depend on the rule, such as the WPA passphrase.

In order to restrict the WLAN client with the MAC address 00:a0:57:44:55:66 to the SSID Public, you need to create the following rule set:

    MAC address: 00:a0:57:*, SSID: Public
    MAC address: 00:a0:57:11:22:33, SSID: *
    MAC address: 00:a0:57:22:33:44, SSID: *

With this rule set, the top rule would apply and the MAC address 00:a0:57:44:55:66 is permitted access to the SSID Public. You initially grant all MAC addresses access to the SSID Public, and then you explicitly list the MAC address(es) that are additionally to be granted access to the other SSIDs.

Catchwords: stations table; WLAN; client; vlan; AP; access point; controller; wlc; mac; ssid
Please review this document! This document was helpful This document was not helpful