Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added access-list documentation

...

Enterprise wireless security with User Manager v5


Access List

Access list provides multiple ways of filtering and managing wireless connections.

RouterOS will check each connection to see if its parameters match parameters specified in any access list rule. This will happen when a connection is established and periodically after that.
The rules are checked in the order they appear in the list. Only management actions specified in the first matching rule are applied to the connection.

Note

Take care when writing access list rules which reject clients. After being repeatedly rejected by an AP, a client device may start avoiding it.

Filter parameters

ParameterDescription
allow-signal-out-of-range (time period)

Modifies the signal-range parameter to still match established connections for a given length of time, even if their signal is outside the specified range.

Default: 0s.

interface (interface|interface-list|'any')Match if connection takes place on the specified interface or interface belonging to specified list. Default: any.
mac-address (MAC address)Match if the client device has the specified MAC address. No default value.
mac-address-mask (MAC address)

Modifies the mac-address parameter to match if it is equal to the result of performing bit-wise AND operation on the client MAC address and the given address mask.

Default: FF:FF:FF:FF:FF:FF (i.e. client's MAC address must match value of mac-address exactly)

signal-range (min..max)Match if the strength of received signal from the client device is within the given range. Default: '-120..120'
ssid-regexp (regex)Match if the given regular expression matches the SSID.
time (start-end,days)Match during the specified time of day and (optionally) days of week. Default: 0s-1d

Action parameters

ParameterDescription
action (accept|reject|query-radius)

Whether to authorize a connection

  • accept - new connections are accepted, established connections are maintained
  • reject - new connections are rejected, established connections are interrupted
  • query-radius - new connections are accepted if MAC authentication of the client's MAC address succeeds
passphrase (string)Override the default passphrase with given value. No default value.
radius-accounting (no|yes)Override the default RADIUS accounting policy with given value. No default value.

Access rule examples

Only accept connections to guest network from nearby devices during business hours

Code Block
languageros
/interface/wifiwave2/access-list/print detail
Flags: X - disabled 
 0   signal-range=-60..0 allow-signal-out-of-range=5m ssid-regexp="MikroTik Guest" time=7h-19h,mon,tue,wed,thu,fri action=accept

 1   ssid-regexp="MikroTik Guest" action=reject 

Reject connections from locally-administered ('anonymous'/'randomized') MAC addresses

Code Block
languageros
/interface/wifiwave2/access-list/print detail
Flags: X - disabled
 0   mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00 action=reject


Frequency scan

Information about RF conditions on available channels can be obtained by running the frequency-scan command.

...