global-association-list

Configures a global list of client MAC addresses. Based on the deny or permit rules specified, clients are either allowed or denied access to the managed network.

The global association list serves the same purpose as an Association Access Control List (ACL). However, the Association ACL allows a limited number of entries, a few thousand only, and does not suffice the requirements of a large deployment. This gap is filled by a global association list, which is much larger (with tens of thousands of entries). Both lists co-exist in the system. When an access request comes in, the association ACL is looked up first and if the requesting MAC address is listed in one of the deny ACLs, the association is denied. But, if the requesting client is permitted access, or if in case none of the ACLs list the client‘s MAC address, the global association ACL is checked. Once authenticated, the client‘s credentials are cached on the Access Point, and subsequent requests are not referenced to the controller. An entry in an APs credential cache means a pass in the global association list.

Supported in the following platforms:

Syntax

global-association-list <GLOBAL-ASSOC-LIST-NAME>

Parameters

global-association-list <GLOBAL-ASSOC-LIST-NAME>
<GLOBAL-ASSOC-LIST-NAME>

Specify the global association list name. If a list with the same name does not exist, it is created.

Map this global association list to a device (controller) or a controller profile. Once associated, the controller applies this association list to requests received from all adopted APs. For more information, see use (profile/device-config-mode-commands).

The global association list can also be mapped to a WLAN. The usage of global access lists is controlled on a per-WLAN basis. For more information, see association-list.

Examples

nx9500-6C8809(config)#global-association-list my-clients
nx9500-6C8809(config-global-assoc-list-my-clients)#?
Global Association List Mode commands:
  default-action  Configure the default action when the client MAC does not
                  match any rule
  deny            Specify MAC addresses to be denied
  no              Negate a command or set its defaults
  permit          Specify MAC addresses to be permitted

  clrscr          Clears the display screen
  commit          Commit all changes made in this session
  do              Run commands from Exec mode
  end             End current mode and change to EXEC mode
  exit            End current mode and down to previous mode
  help            Description of the interactive help system
  revert          Revert changes
  service         Service Commands
  show            Show running system information
  write           Write running configuration to memory or terminal

nx9500-6C8809(config-global-assoc-list-my-clients)#
To enable global-association-list controlled client association, execute the following commands:
  1. Create a global association list, and configure it as shown in the following examples:
    nx9500-6C8809(config)#global-association-list vtt-list

    nx9500-6C8809(config-global-assoc-list-vtt-list)#permit 01-22-33-44-55-66 description sample

    nx9500-6C8809(config-global-assoc-list-vtt-list)#permit 40-B8-9A-39-F1-27 description acer

    nx9500-6C8809(config-global-assoc-list-vtt-list)#permit 42-B8-9A-39-F1-27 description ami

    nx9500-6C8809(config-global-assoc-list-vtt-list)#permit 6C-40-08-B2-80-6C description mac

    nx9500-6C8809(config-global-assoc-list-vtt-list)#permit E0-98-61-34-11-47 description my_mobile

    nx9500-6C8809(config-global-assoc-list-vtt-list)#show context
global-association-list vtt-list
 default-action deny
 permit 01-22-33-44-55-66 description sample
 permit 40-B8-9A-39-F1-27 description acer
 permit 42-B8-9A-39-F1-27 description ami
 permit 6C-40-08-B2-80-6C description mac
 permit E0-98-61-34-11-47 description my_mobile
nx9500-6C8809(config-global-assoc-list-vtt-list)#
  2. Attach this global association list to the profile or device context of the access point or controller, as shown in the following examples:
    On the access point‘s profile context:
    Note

    Note

    Ensure that the global association list is associated with the profile being applied on the access point.
    nx9500-6C8809(config-profile-testAP505)#use global-association-list server vtt-list

    nx9500-6C8809(config-profile-testAP505)#show context include-factory | include global-association-list
 service global-association-list blacklist-interval 60
 use global-association-list server vtt-list
nx9500-6C8809(config-profile-testAP505)#
    On the access point‘s device context:
    ap505-13403B(config-device-94-9B-2C-13-40-38)#use global-association-list server vtt-list

    ap505-13403B(config-device-94-9B-2C-13-40-38)#show context include-factory | include global-association-list
 use global-association-list server vtt-list
ap505-13403B(config-device-94-9B-2C-13-40-38)#
    On the controller‘s device context:
    nx9500-6C8809(config-device-00-23-68-88-0D-A7)#use global-association-list server vtt-list

    nx9500-6C8809(config-device-00-23-68-88-0D-A7)#show context include-factory | include global-association-list
 use global-association-list server vtt-list
nx9500-6C8809(config-device-00-23-68-88-0D-A7)#
  3. Attach this global association list with the WLAN, as shown in the following example:
    nx9500-6C8809(config-wlan-GLAssList)#association-list global vtt-list

    nx9500-6C8809(config-wlan-GLAssList)#show context include-factory | include association-list
 association-list global vtt-list
nx9500-6C8809(config-wlan-GLAssList)#
9036514-01 Rev AA