I want to prevent stations with signals less than -88db ("less than" following the negative, e.g. -89 < -88).

I tried a simple ACL on one interface (default auth and forwarding enabled on wlan2): No effect -- station with -90db signal remained associated, even after disable/enable wlan2.

I tried to reverse the above (default auth and forwarding disabled on wlan2): This had an effect -- nothing could associate, including other ROS boards with signals between -60 and -75.

In both instances, the ACL would show mac-address=00:00:00:00:00:00, which I think should be matching any MAC, but does not. If I use a specific MAC address, say for that station above with the -90db signal, the ACL works -- the station drops off and does not re-associate.


How can I get this working?

The best is to have default authenticate setting OFF and adding each client's MAC address manually in the access list. Then you can disable a certain MAC manually. What is the reason for not wanting weaker signals to connect?

Adding each user to an ACL isn't an option for us.

We're running back haul and client associations on the same wireless interfaces. I'd rather not do it that way, but it's been fine and exposes more radios for potential paying customers...

We're concerned that the poor signal affects the back haul links, and OSPF on top of that.

You should really use dedicated backbone links

You can also add an ACL entry, and set authentication=disabled for that entry. Do not disable the ACL rule itself, set the authentication flag / tickbox to disabled/off.

Is it possible for an ACL entry to match any MAC? I'd like to do two rules, one that prevents stations with poor signals from associating, and the second allowing any other station to associate.

I never had the need to add a ACL to limit all, I only use default forwarding, but it's possible to work.

Try 00:00:00:00:00:00:00 and see what happens. Be sure to first set it to enable all users (or simply disable the interface), and make sure your own MAC is right to the top of the ACL list in order not to loose connectivity.

I'm not sure if a static entry will override a 00:00:00... entry.

I know it's more work, but I'd really suggest doing it manually, or using dedicated backbone links. It's never the best idea to use a distribution antenna for backbone links

Use the connect list for this, not the ACL.