WSEC  Lab 4    Wireless security: AP access filtering       Student _________________________________





The purpose of this Lab is to create an AP access filter that will limit WLAN access. The filtering will be of two types: Blocking (disallowing) selected users, and Enabling (allowing) only certain users and blocking all others. This technique improves WLAN security (especially when used in conjunction with other measures).



Required devices: 

  1. Minimally three PCs (one with ethernet NIC configured, and two others with Cisco 350 Series WNIC installed and configured). More PCs needed if all students are to fully participate simultaneously. Laptops recommended.
  2. Router/switch that provides DHCP services and LAN connectivity. Linksys BEFSR41.
  3. Access point (AP). Cisco 350 Series with dual diversity antennas (omni-directional) vertically polarized.


Instructor notes:

  1. The following procedure assumes that the PCs are using WIN XP (most laptops sold today come with WIN XP preinstalled). If your PCs are running a different OS, you will need to download the appropriate Cisco WNIC interface and ACU. See the Cisco documentation for details.
  2. This Lab should be conducted with the instructor demonstrating the procedure first and the students following along and taking notes. It is strongly suggested that the Instructor demo the procedures and display the settings via a computer projector to the class.

NOTE: It is possible that if incorrect MAC addresses are entered into the Access Filters, you could lock yourself out of the AP!    BE CAREFUL!!


  1. A BSS WLAN must exist between at least two computers and the AP. The two or more wireless-LAN (WLAN) PCs will communicate with each other and the fixed infrastructure LAN (containing PCs cabled to the router/switch) via the AP.
  2. The Cisco Aironet Client Utility (ACU) must be installed on all PCs.
  3. The Linksys router/switch must be installed and configured for DHCP. The PCs connected to the router/switch ports represent the infrastructure LAN (also DHCP enabled). Save at least one port for the AP connection.
  4. Read through the AP documentation provided by Cisco..




Setup the WLAN/LAN that has been used previously: Configure the WLAN using 2 or more WLAN PCs (that include a configured WNIC) linked to an AP, and the AP is connected to the infrastructure LAN via a router/switch.


Write down the MAC addresses of all the WLAN PCs here (use router’s DHCP table):

  1. ____________________________
  2. ____________________________
  3. ____________________________
  4. ____________________________
  5. ____________________________
  6. ____________________________
  7. ____________________________
  8. ____________________________
  9. ____________________________
  10. ____________________________
  11. ____________________________
  12. ____________________________



Part 1. Block a particular user in WLAN


1.      We will block access for the WLAN PC listed as #1 above. Using WLAN PC #2 (see above), open the AP Address Filters Page (direct browser to AP’s IP address, then open “Setup”, then “Address Filters” in the “Association” section).


2.      In the “New MAC Address Filter” field type in the MAC address of WLAN PC #1 (from list above) and click “Disallowed”. Then click “Add”, then “Apply”, then “OK”.


3.      Repeat step 1 to confirm that the MAC address of WLAN PC #1 is listed in the “Existing MAC Address Filters” field.


4.      Open the Aironet Client Utility (ACU) on WLAN PC #1. Has the AP associated the client? ________. Explain _______________________________________________________


5.      Repeat steps 2, 3, 4 and add other WLAN PCs to be disallowed (blocked). DO NOT ADD WLAN PC #2 !!) Then check to see if each has indeed been blocked by the AP. What are the results? ______________________________________________________________________________________________________________________________________________


6.      Now undo what you have done. Go to the AP Address Filters page and click “Remove” for all the MAC addresses listed.


7.      Confirm that the AP is now associating all WLAN PCs.




Part 2. Allowing only certain users to access the WLAN.


WARNING: Include at least one of the WLAN PCs as “Allowed” or you will lock yourself out of the AP!


8.      Repeat steps 1 and 2 except click “Allowed” in the AP “New MAC Address Filter” field.


9.      Return to the AP “Setup” page, then open the “AP Radio Advanced” page.


10. Select “Disallowed” for the “Default Unicast Address Filter”. Click “OK”. You may need to reboot the AP for the changes to occur.


11. Which of the WLAN PCs can now associate with the AP? Explain what has happened. ___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________


12. How can the use of Access Filters improve WLAN security? Does it provide total security? Explain. ___________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________