Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Classify and Ban Designated Wireless Clients

SUMMARY To protect your network, use this feature to allow or ban access points based on their MAC addresses.

To simplify wireless security and control, you can identify wireless clients that you want to ban or approve. Then in your WLAN security settings, enable the option to prevent banned clients from associating.

  • Banned clients—Rogue clients are banned as a result of connecting to the rogue AP, after which they are prevented from rejoining the network, even if they try through a valid AP.

    Approved clients—The approved clients classification is a special category for clients that were previously connected to the network through a rogue AP, but then were terminated to shut down the rogue. When you approve a legitimate client, they can rejoin the network by reconnecting through a valid AP. Unclassified clients are considered neutral.

Depending on the AP firmware, clients can be banned or approved from a specific site or from the entire organization. Up to 512 client classifications for a given SSID can be stored locally, on the relevant APs, for APs running firmware version 0.14.x and later (any more than 512 are stored only on the cloud).

For firmware before version 0.14.x, client classifications are stored on the Mist cloud, which obviously means the AP must be connected to the cloud to reference and enforce the classification. The minimum AP firmware required for site-level classification, or for organization-wide classification (which includes site-level), is version 0.9.x or later.

Classification uses the client's MAC addresses for identification. You can find the MAC addresses of rogue clients by mousing over the client count in the Security page (see Find Wireless Client MAC Addresses), or by looking them up in the WiFi Clients page.

Classify Clients

Typing MAC addresses is tedious, so the best way to use the classification app is to copy and paste from a list or to upload a .csv file, one for approved clients and the other for banned clients. Separate MAC addresses on a single line with a comma (no space).

Figure 1: Classify Clients Classify Clients

For .csv files, you can also use a line break such as you would get from copying a column of data from a spreadsheet. Mist supports the following MAC address formats:

To classify wireless clients:

  1. From the Mist portal, select Site > Wireless | Security.
  2. Click the View Client Classification button in the upper right corner of the page that appears.
    • For both the Approved tab and Banned tab, paste your MAC addresses in the field and click the +Add button.
    • Alternatively, click the Upload File button to load a.csv file with the MAC addresses.

  3. Click Save to incorporate the list and close the page.

Block Banned Clients

Figure 2: Prevent Banned Clients from Associating with the SSID Prevent Banned Clients from Associating with the SSID

Note that banning rogue clients from an SSID should be considered in the larger context of client blocking, which has, in at least one case, led to FCC actions against the blocker. Banned clients will not be able to connect to the Juniper AP, nor will they see a message or notification explaining the cause.

To prevent banned clients from associating with an SSID:

  1. From the Mist portal, select Site > Wireless | WLANs.
  2. Click the Add WLAN button in the upper right corner of the page or choose an existing SSID from the list that appears.
  3. In the Security section, select Prevent banned clients from associating.
  4. Click Save.