cancel
Showing results for 
Search instead for 
Did you mean: 

R510: Import MAC address list and limitations

matthew_maltby_
New Contributor II
I'm setting up a new R510. I have 126 MAC addresses in the allow list on my old hardware. I can't see how to import that list on the R510. Please tell me I am not going to have to do this one at a time?!

Also, I think I read in passing there is a limit of 128 MAC addresses per allow / deny rule? Given I am starting at 126 and adding new devices regularly, that doesn't bode well for me if correct. Can I create more than one allow list and have it applied against the same wlan? 
10 REPLIES 10

matthew_maltby_
New Contributor II
Thanks for the admin guide link. I couldn't see for looking when I went searching for that earlier!

OK so I have created an AAA entry for AD and pointed it to one of my DC's. I've then modified the relevant places to use it and enabled Zero-IT on my internal wlan.

First test seems OK. Browsed to the activation URL on my Android mobile, got challenged for creds, downloaded small app/installer, ran said app, clicked on the wlan name and bosh! it has connected.

Obs I have to do some more testing before roll out and we also have apple devices and windows pcs. Hopefully the activation process works across the board and isn't a resource problem on the installed devices, or an issue with some kind of injection into the device wi-fi stack causing connectivity issues elsewhere.

I just need to sort out enabling a decent tls level on the old dc os version then I think I'm good to go...?

Am I getting ahead of myself? I'd love to get a win this month! 🙂


DarrelRhodes
Valued Contributor
Hi Matt,

Sounds like you nailed it!  Excellent work sir!

Here's a link to all our Unleashed documentation:  https://support.ruckuswireless.com/products/82-unleashed#documents

Thanks,
Darrel.

matthew_maltby_
New Contributor II
Hmmm

I don't think I have actually achieved the desired result.

I've made it easier for users to connect, which is great, but I've lost the device access control.

If a rougue device discovers the wlan key it can connect. Previously that would not have been possible (MAC address spoofing aside), because I was using the L2/MAC allow list...


DarrelRhodes
Valued Contributor
Hi Matt,

You should be able to use your NPS server to manage access of specified MAC addresses/ranges:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd...

Darrel.

matthew_maltby_
New Contributor II
Thanks Darrel

I'm not sure what to think about that...

I don't want to inadvertently upset the office desktop connectivity by bringing in MAC auth, am unsure whether or not I'd have to buy device CALs for each of the MAC user accounts etc etc.

Perhaps the easiest way for me to protect against a rogue device outside of the domain connecting is to beef up the PSK and change the DoS temp client block to e.g. 600 seconds.

That would at least make it less likely an attacker would bother with techniques like password grinding. It wouldn't help if an attacker were sniffing traffic but they'd have to be determined and extremely lucky to pick up someone connecting by entering the PSK rather than via the ZeroIT method.

I'm looking at getting TLS working on my old dcs today and will also look at sorting out a cert so I'm admin connecting over https.

Thoughts...?

Thanks!

Matt