Captive web portal MAC addresses bypass issue

  • 1
  • Question
  • Updated 2 years ago
I have followed the guide "MAC Address Bypass Enhancement" to implement MAC address bypass for Visitor's SSID and it does not seem to work as expected. I created whitelist in CLI supplement as below:

mac-object CATPhone mac-range 0016:d4fe:3600 - 0016:d4fe:36cc
mac-object CATPhone0076 mac-range 0016:d4fe:0076
mac-object wlan9 mac-range e82a:ea74:d8ee
mac-object nexus4 mac-range 1068:3f88:663e
security-object VisitorSSID security mac-white-list bypass-cwp
security-object VisitorSSID security mac-white-list mac-object CATPhone
security-object VisitorSSID security mac-white-list mac-object CATPhone0076
security-object VisitorSSID security mac-white-list mac-object wlan9
security-object VisitorSSID security mac-white-list mac-object nexus4

I added the whitelist to each APs under Advanced Settings and uploaded full config (with reboot).

The issue is that so far the only first MAC address range seems to work (mac-object CATPhone mac-range 0016:d4fe:3600 - 0016:d4fe:36cc) but for remaining MAC addresses (CATPhone0076, wlan9 and nexus4) doesn't.

Is my configuration incorrect or am I missing something?
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like

Posted 2 years ago

  • 1
Photo of j

j

  • 24 Posts
  • 7 Reply Likes
The mac-range option requires two MAC addresses, whether or not it's a single MAC address or a range of them. Thus, for CATPhone0076, wlan9, and nexus4, you need to add each MAC address on both sides of the hyphen:

mac-object CATPhone0076 mac-range 0016:d4fe:0076 - 0016:d4fe:0076
mac-object wlan9 mac-range e82a:ea74:d8ee - e82a:ea74:d8ee
mac-object nexus4 mac-range 1068:3f88:663e - 1068:3f88:663e
(Edited)
Photo of Dariusz Chorzepa

Dariusz Chorzepa

  • 49 Posts
  • 1 Reply Like
Great. I have corrected the issue.

One more question. When I read the guide it was saying that maximum number of 'mac-white-list mac-object' is 8. Does this mean that if I specified single MAC addresses I can have only 8 MAC addrresses whitelisted? This seems to me a little low number  but maybe there is a reason why it is so low.

Thank you.
Photo of j

j

  • 24 Posts
  • 7 Reply Likes
It would seem so:
You can add up to eight different MAC objects to a single mac-white-list. If you attempt to add more than eight objects, the following error message appears:
security-object test-ssid security mac-white-list mac-object vending_albert9

can't bind mac-object to mac-white-list exceeding 8 members!
I'm not sure why though.
Photo of Metka Dragos

Metka Dragos

  • 51 Posts
  • 11 Reply Likes
Dariusz,
please refer to the help information that you can find here http://docs.aerohive.com/330000/docs/help/english/ng/Content/gui/configuration/configuring-supplemental-cli.htm

Each mac-object can contain up to 255 MAC addresses and you can create up to 128 Mac-objects 
Photo of j

j

  • 24 Posts
  • 7 Reply Likes
Maybe I’m missing something here, but according to the help information, each security object—i.e. VisitorSSID in this case—can only have up to eight different MAC objects associated to a mac-white-list:
Each security-object can have up to eight different MAC objects associated to a specific mac-white-list.

For example, to bind the vendor SSID eight MAC objects, enter the following:
# security-object vendor security mac-white-list mac-object MyMacObject1
# security-object vendor security mac-white-list mac-object MyMacObject2
# security-object vendor security mac-white-list mac-object MyMacObject3
# security-object vendor security mac-white-list mac-object MyMacObject4
# security-object vendor security mac-white-list mac-object MyMacObject5
# security-object vendor security mac-white-list mac-object MyMacObject6
# security-object vendor security mac-white-list mac-object MyMacObject7
# security-object vendor security mac-white-list mac-object MyMacObject8
In the case above, if each MyMacObjectX only contains a single MAC address, that would mean you can only whitelist a total of eight MAC addresses?
(Edited)
Photo of j

j

  • 24 Posts
  • 7 Reply Likes
To create a single MAC whitelist object containing a single MAC address, enter the following:
mac-object MyMacObject1 mac-range 1111:2222:3333 - 1111:2222:3333
My guess is that the following wouldn’t work as expected, but that MyMacObject1 would actually be 3333:4444:5555, and thus disallowing you to add more MAC addresses to the object:
mac-object MyMacObject1 mac-range 1111:2222:3333 - 1111:2222:3333
mac-object MyMacObject1 mac-range 2222:3333:4444 - 2222:3333:4444
mac-object MyMacObject1 mac-range 3333:4444:5555 - 3333:4444:5555
Photo of Robert Nicholas

Robert Nicholas, Employee

  • 7 Posts
  • 6 Reply Likes
Each MAC object can contain up to 255 MAC addresses or ranges, and you can have up to 128 MAC objects defined. However, of the 128 possible MAC objects, you can only include eight in a security object.

Suppose you have 100 MAC addresses that you want to whitelist. You can add all 100 MAC addresses to a single MAC object called, say, whitelist-mac-addrs. Compose the MAC object as follows:
mac-object whitelist-mac-addrs mac-range 0000:0000:0001 - 0000:0000:0001
mac-object whitelist-mac-addrs mac-range 0000:0000:0003 - 0000:0000:0003
mac-object whitelist-mac-addrs mac-range 0000:0000:0005 - 0000:0000:0005
...
mac-object whitelist-mac-addrs mac-range 0000:0000:00c5 - 0000:0000:00c5
mac-object whitelist-mac-addrs mac-range 0000:0000:00c7 - 0000:0000:00c7
Now you have a single MAC object containing 100 MAC addresses.

You can then enable the your SSID (let's say, ABCaccess) to work with a whitelist using the following command:
security-object ABCaccess security mac-white-list bypass-cwp
Now bind the MAC object (that is, the whitelist) to the SSID:
security-object ABCaccess security mac-white-list mac-object whitelist-mac-addrs
Now you have a functioning whitelist for your ABCaccess SSID and web portal.

The key thing here is that you've included 100 MAC addresses in your whitelist, while only using one of eight available slots in your security object. If you have similar MAC objects containing different sets of MAC addresses, then you can combine the MAC objects in interesting ways within your security objects, as long as a single security object doesn't contain more that eight sets of MAC addresses.