Monday, August 24, 2015

Time Based ACL for Cisco Wireless AP Access

Recently I was tasked with setting up two Cisco 1142 APs in autonomous mode with restrictions on access between the hours of 6AM and 11PM.  Anytime outside that range, wireless SSIDs would be on and broadcasting but there would be no traffic allow out.

After doing some research I have gotten it working and here's how to pull this off.  Pretty simple really.  Make sure before you do this that the time on the APs is set correctly.  I have the two I configured in this example setup to use NTP to pool.ntp.org and verified the time is set correctly.

1.  Create a time range:
     time-range BusinessHours
     periodic weekdays 6:00 to 23:00

2.  Create an ACL
     ip access-list extended 101
     permit ip any any time-range BusinessHours

3.  Apply the ACL to the appropriate interface
     interface Dot11Radio0.1 (.1 is the only VLAN configured on these APs on interface 0)
     ip access-group 101 out
     end

4.  Check the work
     show time-range BusinessHours
     show access-list 101 (this is how it determines the toggle between active and inactive)
     show running-config (verify the ACL is applied to the correct interface)

One thing to make sure of is that you do no apply this config to the Ethernet interface on the AP because then you will lose internal communication from the LAN as well.  By applying it to the Radio interface this only stops traffic coming in via the wireless Radio.

Hope this helps with security on your network OR if you happen to use these at home and have teenagers that don't want to obey bedtime for school.  Works for both.

Good luck.

No comments: