Client Denied by Access Control List

  • 1
  • Question
  • Updated 1 year ago
Hello everyone, I have three AP230 and having lot of issue recently. First one I Have is I keep getting an error saying Client Denied by Access Control List not sure why this keep happening. Any suggestions would be appreciate.
Photo of Arpit Parikh

Arpit Parikh

  • 8 Posts
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Ruwan Indika

Ruwan Indika

  • 66 Posts
  • 22 Reply Likes
Hi Arpit,

This probably is caused by a availability schedule in you config. 

1) First check whether the AP has the correct time,

show clock 

2) check for any time schedules in the config. May be post the output of "show running-config" here


3) Add the client's mac address to client monitor. Replicate the issue and copy and paste the output,




Photo of Arpit Parikh

Arpit Parikh

  • 8 Posts
  • 0 Reply Likes
Hello Ruwan,

Thank you for the respond , appreciated.
I checked my AP's has correct time zone.
I checked there is not time schedule for my both SSID. 
And I have HIveManager NG so it's bit different then what you have. 
Photo of Ruwan Indika

Ruwan Indika

  • 66 Posts
  • 22 Reply Likes
Hi Arpit,

Where do you see the error "Client Denied by Access Control List"

follow the steps below to check time and running config 




1) Check the AP's time , command "show clock"



2) Get the running config, command "show  running-config"

(Edited)
Photo of Arpit Parikh

Arpit Parikh

  • 8 Posts
  • 0 Reply Likes
Hi Ruwan ,

I see that error in my Troubleshoot tab.

here is the running config , 

show clock
      2017-03-24  08:07:34    Friday




show run
security mac-filter Hive-Profile-1 default permit
security mac-filter ECMHSP-GUEST default permit
security mac-filter ECMHSP default permit
security mac-filter ECMHSP oui 8c:f5:a3 deny
radio profile ECMHSP-radio_ng_ng0
radio profile ECMHSP-radio_ng_ng0 phymode 11ng
radio profile ECMHSP-radio_ng_ng0 acsp access channel-auto-select time-range 01:00 04:00
radio profile ECMHSP-radio_ng_ng0 acsp all-channels-model enable
no radio profile ECMHSP-radio_ng_ng0 backhaul failover
radio profile ECMHSP-radio_ng_ng0 interference-map enable
radio profile ECMHSP-radio_ng_ng0 short-guard-interval
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11b rate 11 success 60 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11b rate 5.5 success 70 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11g rate 36 success 70 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11g rate 24 success 80 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11a rate 36 success 70 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11a rate 24 success 80 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11n rate mcs4/2 success 80 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11n rate 54 success 70 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11ac rate mcs2/2 success 80 usage 50
radio profile ECMHSP-radio_ng_ng0 benchmark phymode 11ac rate 54 success 70 usage 50
radio profile ECMHSP-radio_ng_ng0 band-steering enable
radio profile ECMHSP-radio_ng_ng0 band-steering mode prefer-5g
radio profile ECMHSP-radio_ng_ng0 presence enable
radio profile ECMHSP-radio_ng_ng0 presence aging-time 15
radio profile ECMHSP-radio_ng_ng0 presence trap-interval 15
radio profile ECMHSP-radio_ng_ng0 presence aggr-interval 15
radio profile radio_ng_ac0
radio profile radio_ng_ac0 phymode 11ac
radio profile radio_ng_ac0 acsp access channel-auto-select time-range 01:00 04:00
radio profile radio_ng_ac0 interference-map enable
radio profile radio_ng_ac0 interference-map cu-threshold 35
radio profile radio_ng_ac0 interference-map crc-err-threshold 35
radio profile radio_ng_ac0 short-guard-interval
radio profile radio_ng_ac0 benchmark phymode 11b rate 11 success 60 usage 50
radio profile radio_ng_ac0 benchmark phymode 11b rate 5.5 success 70 usage 50
radio profile radio_ng_ac0 benchmark phymode 11g rate 36 success 70 usage 50
radio profile radio_ng_ac0 benchmark phymode 11g rate 24 success 80 usage 50
radio profile radio_ng_ac0 benchmark phymode 11a rate 36 success 70 usage 50
radio profile radio_ng_ac0 benchmark phymode 11a rate 24 success 80 usage 50
radio profile radio_ng_ac0 benchmark phymode 11n rate mcs4/2 success 80 usage 50
radio profile radio_ng_ac0 benchmark phymode 11n rate 54 success 70 usage 50
radio profile radio_ng_ac0 benchmark phymode 11ac rate mcs2/2 success 80 usage 50
radio profile radio_ng_ac0 benchmark phymode 11ac rate 54 success 70 usage 50
radio profile radio_ng_ac0 band-steering enable
radio profile radio_ng_ac0 band-steering mode prefer-5g
security-object ECMHSP-GUEST
security-object ECMHSP-GUEST security protocol-suite wpa2-aes-psk ascii-key ***
security-object ECMHSP-GUEST default-user-profile-attr 2
security-object ECMHSP
security-object ECMHSP security protocol-suite wpa2-aes-psk ascii-key ***
client-monitor policy default_Policy problem-type association
client-monitor policy default_Policy problem-type authentication
client-monitor policy default_Policy problem-type networking
ssid ECMHSP-GUEST
ssid ECMHSP-GUEST security-object ECMHSP-GUEST
ssid ECMHSP-GUEST security mac-filter ECMHSP-GUEST
ssid ECMHSP-GUEST 11g-rate-set 11-basic 6 9 12 18 24 36 48 54
ssid ECMHSP-GUEST multicast conversion-to-unicast auto
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type probe-req
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type probe-resp
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type assoc-req
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type assoc-resp
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type auth
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type deauth
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type disassoc
no ssid ECMHSP-GUEST security wlan dos ssid-level frame-type eapol
no ssid ECMHSP-GUEST security wlan dos station-level frame-type probe-req
no ssid ECMHSP-GUEST security wlan dos station-level frame-type probe-resp
no ssid ECMHSP-GUEST security wlan dos station-level frame-type assoc-req
no ssid ECMHSP-GUEST security wlan dos station-level frame-type assoc-resp
no ssid ECMHSP-GUEST security wlan dos station-level frame-type auth
no ssid ECMHSP-GUEST security wlan dos station-level frame-type deauth
no ssid ECMHSP-GUEST security wlan dos station-level frame-type disassoc
no ssid ECMHSP-GUEST security wlan dos station-level frame-type eapol
ssid ECMHSP-GUEST client-monitor-policy default_Policy
ssid ECMHSP
ssid ECMHSP security-object ECMHSP
ssid ECMHSP security mac-filter ECMHSP
ssid ECMHSP 11g-rate-set 11-basic 6 9 12 18 24 36 48 54
ssid ECMHSP uapsd
ssid ECMHSP multicast conversion-to-unicast auto
ssid ECMHSP client-monitor-policy default_Policy
hive Hive-Profile-1
hive Hive-Profile-1 security mac-filter Hive-Profile-1
hive Hive-Profile-1 wlan-idp mitigation-mode manual
hive Hive-Profile-1 password ***
interface eth0 native-vlan 1
interface eth1 native-vlan 1
interface wifi0 radio profile ECMHSP-radio_ng_ng0
interface wifi0 radio tx-power-control auto
interface wifi1 radio profile radio_ng_ac0
interface wifi1 mode access
interface wifi1 radio tx-power-control auto
interface mgt0 hive Hive-Profile-1
interface wifi0 ssid ECMHSP-GUEST
interface wifi1 ssid ECMHSP-GUEST
interface wifi0 ssid ECMHSP
interface wifi1 ssid ECMHSP
system led power-saving-mode delay 24 on 4 off 64
kddr enable
security wlan-idp profile ECMHSP
security wlan-idp profile ECMHSP ap-policy
security wlan-idp profile ECMHSP adhoc
security wlan-idp profile ECMHSP ap-detection connected
security wlan-idp profile ECMHSP ap-detection client-mac-in-net
security wlan-idp profile ECMHSP sta-report
interface wifi0 wlan-idp profile ECMHSP
interface wifi1 wlan-idp profile ECMHSP
hostname "Finance side "
admin root-admin admin password ***
dns server-ip 208.67.222.222
dns server-ip 208.67.220.220 second
ntp server 0.aerohive.pool.ntp.org
ntp server 1.aerohive.pool.ntp.org second
ntp server 2.aerohive.pool.ntp.org third
ntp server 3.aerohive.pool.ntp.org fourth
clock time-zone -5
clock time-zone daylight-saving-time 03-12 01:59:59 11-05 01:59:59
config version 91447695
config rollback enable
device-location "2700 Wycliff Rd Ste 302|Floor 3"
mac-object Aerohive-001977 mac-range 0019:7700:0000 - 0019:77ff:ffff
mac-object Samsung-Tablets-044665 mac-range 0446:6500:0000 - 0446:65ff:ffff
mac-object Aerohive-D854A2 mac-range d854:a200:0000 - d854:a2ff:ffff
mac-object Aerohive-F09CE9 mac-range f09c:e900:0000 - f09c:e9ff:ffff
mac-object FBAndroid mac-range 8cf5:a300:0000 - 8cf5:a3ff:ffff
mac-object Aerohive-9C5D12 mac-range 9c5d:1200:0000 - 9c5d:12ff:ffff
mac-object Aerohive-C413E2 mac-range c413:e200:0000 - c413:e2ff:ffff
mac-object Aerohive-4018B1 mac-range 4018:b100:0000 - 4018:b1ff:ffff
mac-object Samsung-Tablets-5C0A5B mac-range 5c0a:5b00:0000 - 5c0a:5bff:ffff
mac-object Aerohive-885BDD mac-range 885b:dd00:0000 - 885b:ddff:ffff
mac-object Aerohive-E01C41 mac-range e01c:4100:0000 - e01c:41ff:ffff
mac-object Samsung-Tablets-6021C0 mac-range 6021:c000:0000 - 6021:c0ff:ffff
mac-object Aerohive-C8665D mac-range c866:5d00:0000 - c866:5dff:ffff
mac-object Aerohive-B87CF2 mac-range b87c:f200:0000 - b87c:f2ff:ffff
mac-object Aerohive-C8675E mac-range c867:5e00:0000 - c867:5eff:ffff
mac-object Samsung-Tablets-5CF8A1 mac-range 5cf8:a100:0000 - 5cf8:a1ff:ffff
mac-object Aerohive-08EA44 mac-range 08ea:4400:0000 - 08ea:44ff:ffff
capwap client server name hmng-prd-va-cwps-15.aerohive.com
capwap client server backup name hmng-prd-va-cwpm-01.aerohive.com
capwap client dtls hm-defined-passphrase *** key-id 1
capwap client vhm-name VHM-EBAQEUCB
no capwap client dtls negotiation enable
location aerohive enable
no location aerohive list-match enable
user-profile GUESTVLAN qos-policy def-user-qos vlan-id 192 attribute 2
ip-policy Guest-Internet-Access-Only
ip-policy Guest-Internet-Access-Only id 1 service DHCP-Server action permit
ip-policy Guest-Internet-Access-Only id 2 service DNS action permit
ip-policy Guest-Internet-Access-Only id 3 to 10.0.0.0 255.0.0.0 service any action deny
ip-policy Guest-Internet-Access-Only id 4 to 172.16.0.0 255.240.0.0 service any action deny
ip-policy Guest-Internet-Access-Only id 5 to 192.168.0.0 255.255.0.0 service any action deny
ip-policy Guest-Internet-Access-Only id 6 service any action permit
user-profile GUESTVLAN security ip-policy from-access Guest-Internet-Access-Only
user-profile GUESTVLAN ip-policy-default-action permit
no bonjour-gateway enable
application reporting auto
application reporting upload https://cloud-va.aerohive.com:443/afs-webapp/l7report/22933/ time-window 15 admin VHM-EBAQEUCB password *** basic


Thanks in advance. 





Close