ACLs and VLACLs:
A common feature enabled on access points is the Access Control List, or ACL. An ACL is a list of MAC addresses, with each MAC address representing a mobile device that is allowed to communicate with a specific access point. ACLs are typically configured either on a per-access point basis, or through a Mobile Manager profile which can configure multiple access points simultaneously. Although it is a helpful feature, ACLs can be restrictive because they can only support a limited number of MAC addresses. The exact number of MAC addresses the ACL contains depends on the hardware type of the access point, and the firmware version installed. Mobile Manager overcomes the limitations of standard ACLs by allowing users to employ a Very Large Access Control List, or VLACL. As the name implies, a VLACL is an extended version of the standard ACL, and differentiates from an ACL in two ways: ?A VLACL is established on a per-Mobile Manager Agent basis, allowing a single list to be available to a large number of access points. NOTE: VLACLs are a global setting that applies to all access points that an Agent manages. ?A VLACL can contain a list of thousands of MAC addresses, while ACLs are generally restricted to several hundred or less. Both ACLs and VLACLs can be valuable tools for managing a wireless network; however, due to a variety of factors, these features can cause unexpected issues. This document is designed to provide a more detailed explanation of how Mobile Manager handles ACL and VLACL management and describe some of the limitations of these features. ACCESS CONTROL LISTS An Access Control List (ACL) is a list of MAC addresses that are allowed to communicate with a specific access point. Users can create ACLs either manually on each individual access point, or by assigning access points to a Mobile Manager profile. When an access point has an ACL, it checks the MAC address of any mobile device attempting to associate with it against the list of addresses in the ACL. If the MAC address is found, the access point allows the mobile device to associate. If the address is not found, the access point denies the device access to the network. The number of MAC address an ACL can contain primarily depends on two factors: the hardware manufacturer of the access point, and the firmware version installed on the access point. The following lists the number of entries an ACL can contain for the access points that Mobile Manager supports. Hardware Manufacturer Maximum Number of ACL Entries Cisco 40 Symbol 512 KNOWN ACL ISSUES.
The following table contains a list of the most common issues associated with ACL management within Mobile Manager.
Issue: Mobile devices occasionally disconnect when user modifies the ACL.
Cause: When a user modifies an ACL, the Mobile Manager Agent clears the existing ACL of the access point and write the new ACL from scratch. Depending on mobile device activity, clearing the ACL can result in the mobile device becoming disassociated from the access point.
Recommended Workaround: Restrict ACL management to times when the number of associated mobile devices is at a minimum. Note: Mobile Manager 5.6 can add ACL entries without clearing the previous ACL.
Issue: Cisco access points do not enforce all ACL entries.
Cause: Cisco recommends that ACLs contain a maximum of 40 entries, because ACLs with more than 40 entries can cause a degradation in access point performance. As a result the Mobile Manager Administrator only sends the first 40 entries in the ACL to the access point.
Recommended Workaround: Reduce the entries in the ACL to 40 entries or less. If this is not feasible, implement Mobile Manager?s VLACL feature. Additional workarounds are available by contacting Wavelink Technical Support.
Issue: Symbol access points do not enforce all ACL entries.
Cause: Symbol firmware versions 3.50-18 to 3.70-46a contain an error in which the access points only enforce the first 127 MAC addresses in the ACL. This issue is not related to Mobile Manager.
Recommended Workaround: Reduce the entries in the ACL to 127 entries or less. Symbol firmware 3.70-77 and later resolves this issue. ACL MANAGEMENT: CLEARING THE ACL Because the ACL controls which mobile devices are allowed to associate with an access point, clearing the ACL can have a potentially serious impact on network communication and performance. As a result, it is important to know when Mobile Manager clears the ACL during access point management, as this information can reduce or eliminate the impact of accidental diassociations from the network. Access Point Type: Symbol Clears ACL when Adding Entries? Yes Clears ACL when Deleting Entries? Yes Access Point Type: Cisco Clears ACL when Adding Entries? Yes Clears ACL when Deleting Entries? Yes As the previous table illustrates, both Symbol and Cisco access points require that the ACL be cleared whenever the contents of the ACL changes. After the ACL is cleared, the updated ACL is added into the access point. VERY LARGE ACCESS CONTROL LISTS A Very Large Access Control List (VLACL) is an extended version of a standard ACL that users create and manage through the Mobile Manager Administrator. Unlike a standard ACL, which is maintained on an access point, a VLACL is maintained on a Mobile Manager Agent. In addition, VLACLs can contain several thousand MAC addresses, making them much more extensive than an access point-based ACL. A VLACL operates by having the Mobile Manager Agent build an access point?s ACL as mobile devices attempt an association. When a mobile device attempts an association, the access point checks to see if the MAC address of the device is in its ACL. If the address cannot be found, the access point sends an SNMP trap containing the address to the Agent, which then checks the address against the VLACL. If a match is found, the Agent updates the ACL of the access point with the address. If a match is not found, the mobile device is denied access.
KNOWN ISSUES The following is a list of the most common issues associated with VLACL management with Mobile Manager.
Issue: After the access point?s ACL is filled to capacity, a new mobile device attempts to associate.
Cause: When the ACL is full, the Agent must clear the existing ACL of the access point and write the new ACL from scratch. Depending on mobile device activity, clearing the ACL can result in the mobile device becoming disassociated from the access point. For Cisco, this issue can occur each time the ACL for the access point is updated.
Recommended Workaround: At present, no solution is available. Issue: Enabling VLACL causes disconnects to occur between wireless root bridges and wireless client bridges.
This issue has two possible causes:
(1) a reset factory occurred on either the root or client bridge, eliminating the configurations settings those components need to operate;
(2) the MAC address of the wireless client bridge was not added to the VLACL. Recommended Workaround: Lock both the wireless root bridge and the wireless client bridge to prevent Mobile Manager from applying profile settings to them. Also, ensure that the MAC address of the wireless client bridge is in the VLACL. It is important to remember that VLACLs still use the ACL built into each access point. Consequently, the issues described in the Access Control Lists section of this document continue to apply?particularly in regards to when an access point?s ACL is cleared. In addition, Symbol access points must be reset whenever the VLACL is enabled or disabled. This reset helps to ensure that only approved mobile devices can associate with a given access point. As a result, it is recommended that you enable or disable the VLACL only at times when access point resets have a minimum impact on mobile device users. RELATED DOCUMENTS Additional information on ACLs, VLACLs and other Mobile Manager features can be found in the Added additional information on when ACLs are cleared, and when access points are reset.