Configures a global list of client MAC addresses. Based on the deny or permit rules specified, clients are either allowed or denied access to the managed network.

The global association list serves the same purpose as an Association Access Control List (ACL). However, the Association ACL allows a limited number of entries, a few thousand only, and does not suffice the requirements of a large deployment. This gap is filled by a global association list, which is much larger (with tens of thousands of entries). Both lists co-exist in the system. When an access request comes in, the association ACL is looked up first and if the requesting MAC address is listed in one of the deny ACLs, the association is denied. But, if the requesting client is permitted access, or if in case none of the ACLs list the client‘s MAC address, the global association ACL is checked. Once authenticated, the client‘s credentials are cached on the Access Point, and subsequent requests are not referenced to the controller. An entry in an APs credential cache means a pass in the global association list.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000


global-association-list <GLOBAL-ASSOC-LIST-NAME>


global-association-list <GLOBAL-ASSOC-LIST-NAME>

Specify the global association list name. If a list with the same name does not exist, it is created.

Map this global association list to a device (controller) or a controller profile. Once associated, the controller applies this association list to requests received from all adopted APs. For more information, see use (profile/device-config-mode-commands).

The global association list can also be mapped to a WLAN. The usage of global access lists is controlled on a per-WLAN basis. For more information, see association-list.


rfs4000-229D58(config)#global-association-list my-clients
Global Association List Mode commands:
  default-action  Configure the default action when the client MAC does not
                  match any rule
  deny            Specify MAC addresses to be denied
  no              Negate a command or set its defaults
  permit          Specify MAC addresses to be permitted

  clrscr          Clears the display screen
  commit          Commit all changes made in this session
  do              Run commands from Exec mode
  end             End current mode and change to EXEC mode
  exit            End current mode and down to previous mode
  help            Description of the interactive help system
  revert          Revert changes
  service         Service Commands
  show            Show running system information
  write           Write running configuration to memory or terminal

To enable global-association-list controlled client association, execute the following commands:
  1. Create a global association list, and configure it as shown in the following examples:
    rfs4000-880DA7(config)#global-association-list vtt-list
    rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 01-22-33-44-55-66 description sample
    rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 40-B8-9A-39-F1-27 description acer
    rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 42-B8-9A-39-F1-27 description ami
    rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 6C-40-08-B2-80-6C description mac
    rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit E0-98-61-34-11-47 description my_mobile
    rfs4000-880DA7(config-global-assoc-list-vtt-list)#show context
    global-association-list vtt-list
     default-action deny
     permit 01-22-33-44-55-66 description sample
     permit 40-B8-9A-39-F1-27 description acer
     permit 42-B8-9A-39-F1-27 description ami
     permit 6C-40-08-B2-80-6C description mac
     permit E0-98-61-34-11-47 description my_mobile
  2. Attach this global association list to the profile or device context of the access point or controller, as shown in the following examples:
    On the access point‘s profile context:


    Ensure that the global association list is associated with the profile being applied on the access point.
    rfs4000-880DA7(config-profile-testAP505)#use global-association-list server vtt-list
    rfs4000-880DA7(config-profile-testAP505)#show context include-factory | include g
     service global-association-list blacklist-interval 60
     use global-association-list server vtt-list
    On the access point‘s device context:
    ap505-13403B(config-device-94-9B-2C-13-40-38)#use global-association-list server vtt-list
    ap505-13403B(config-device-94-9B-2C-13-40-38)#show context include-factory | in
    clude global-association-list
     use global-association-list server vtt-list
    On the controller‘s device context:
    rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#use global-association-list server vtt-list
    rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#show context include-factory | in
    clude global-association-list
     use global-association-list server vtt-list
  3. Attach this global association list with the WLAN, as shown in the following example:
    rfs4000-880DA7(config-wlan-GLAssList)#association-list global vtt-list
    rfs4000-880DA7(config-wlan-GLAssList)#show context include-factory | include association-list
     association-list global vtt-list