I would be interested in the code from a curiosity perspective, but I also wanted to ask how this is received from a user perspective.
Is this a feature that you use as a last resort? We have always bent over backwards to attempt (as much as practical) to steer the user into a web page that tells them what the problem is. We have legacy stories of kids asking dad for a new computer because theirs was quarantined. Randy From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Garry Peirce Sent: Thursday, April 15, 2010 2:06 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Hacking Cisco WLC - macfilters Mike, I manage Cisco controller exclusions via SNMP. We have a homegrown IPAM system which includes a checkbox to be able to disable a machine. Doing so for a wireless host causes this to create an exclusion entry which is then distributed system-wide preventing the host from associating. When this box is unchecked, the entry gets removed (database change, cron process, script runs...) In a nutshell... I've scraped some parts of a script I wrote depicting the insert/removal operation. So as not to include here as an attachment, I'll send it to you directly - if other's would like it, just send me a note. As I scraped from different sections of the script, it may require some re-working to make it run. This might give you something to work with to create a script to purge your entries, but you'll need a way to determine the entries age. I actually include the date of the exclusion in the description field. Then you just have to run it once a month. Btw - you may want to increase the size of the WLC database should you have a large number of excluded addresses. 'config database size <512-2048>' From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Schomer, Michael J. Sent: Thursday, April 15, 2010 10:45 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Hacking Cisco WLC - macfilters Although we encourage all wireless devices to connect via WPA/WPA2 802.1x, not all wireless devices support these standards. To accommodate consumer level wireless devices, such as game consoles, we created a separate WPA PSK network. We manually approve each request by adding a mac filter exclusion to that particular network. In the beginning we did all these requests manually, either by entering them directly into each WLC or by using templates in WCS. Eventually, the number of requests necessitated the need to semi-automate the process. We created a web form to gather the information; on the administrator side we could approve or deny each request. Approving the request would run a scripted telnet session to each WLC adding the macfilter. For security and stability reasons we didn't want to continue using scripted telnet sessions. We figured out how to script an https session on the controllers using HTTP GET. This solution is working much better; however we have not found a good way of removing macfilters from the controllers, using this method. (The way the web interface works for removing macfilters is pretty convoluted and would be difficult to script.) We want to run a script once a month that will remove all macfilters a year or more old. So, long story short, has anyone done anything like this? Any suggestions for removing old macfilters? Thanks. -Mike Schomer -ResNet Coordinator -St. Cloud State University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
